PANEPISTHMIO AIGAIOU

Tm ma Mhqanik¸n Plhroforiak¸n & Epikoinwniak¸n

Susthm�twn

Prìgramma Metaptuqiak¸n Spoud¸n

Mobile Device Forensics: A Review to reveal the

truth from the bytes

Mparmp�tsalou KwnstantÐa

Epitrop 

Epiblèpontec : Ge¸rgioc Kampour�khc - Ep. Kajhght cMèlh : Dhmosjènhc BougioÔkac - Ep. Kajhght c, Elis�bet KwnstantÐnou - Ep. Kajhg tria.

1

Mobile Device Forensics: A Review to reveal the truth from the bytes

H Metaptuqiak  Diatrib parousi�sthke enwpÐon

tou DidaktikoÔ ProswpikoÔ touPanepisthmÐou AigaÐou

Se Merik  Ekpl rwshtwn Apait sewn gia to

Metaptuqiakì DÐplwma EidÐkeushc sticTeqnologÐec kai DioÐkhsh Plhroforiak¸n kai

Epikoinwniak¸n Susthm�twn

thcKwnstantÐac Mparmp�tsalouQEIMERINO EXAMHNO 2012

2

H TRIMELHS EPITROPH DIDASKONTWN EGKRINEI TH METAPTUQIAKHDIATRIBH THS:

Ge¸rgioc Kampour�khc, Epiblèpwn HmeromhnÐaTm ma Mhqanik¸n Plhroforiak¸n kai

Epikoinwniak¸nSusthm�twn

Dhmosjènhc BougioÔkac, MèlocTm ma Mhqanik¸n Plhroforiak¸n kai

Epikoinwniak¸nSusthm�twn

Elis�bet KwnstantÐnou, MèlocTm ma Mhqanik¸n Plhroforiak¸n kai

Epikoinwniak¸n Susthm�twn

PANEPISTHMIO AIGAIOUQEIMERINO EXAMHNO 2012

Statement of Authenticity I declare that this thesis is my own work and was writtenwithout literature other than the sources indicated in the bibliography. Information usedfrom the published or unpublished work of others has been acknowledged in the text andhas been explicitly referred to in the given list of references. This thesis has not beensubmitted in any form for another degree or diploma at any university or other instituteof tertiary education.

Karlovassi, 04/02/2013(Place, Date) (Signature)

4

Perieqìmena

1 Introduction 8

2 Scope, Limitations and Methodology 102.1 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.2 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.3 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.3.1 Low-level Modifications . . . . . . . . . . . . . . . . . . . . . . . . . 11

3 Classification 133.1 Acquisition Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.1.1 Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . 143.1.2 Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

4 State-of-the-art 214.1 Standards Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.2 iOS Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224.3 Symbian Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254.4 Android Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294.5 Windows Mobile Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . 344.6 Blackberry Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374.7 Maemo Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374.8 Multiple OSs Forensic Studies . . . . . . . . . . . . . . . . . . . . . . . . . 38

5 Timeline 41

6 Discussion 436.1 Towards a common framework . . . . . . . . . . . . . . . . . . . . . . . . . 44

7 Conclusions Outline 45

8 Challenges and Food for thought 46

Aþ 53A.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1A.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

A.2.1 Acquisition Methods . . . . . . . . . . . . . . . . . . . . . . . . . . 2A.2.2 Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . 3A.2.3 Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

5

A.3 State-of-the-art . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6A.3.1 Standards Background . . . . . . . . . . . . . . . . . . . . . . . . . 6A.3.2 Android Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8A.3.3 Blackberry Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . 13A.3.4 iOS Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14A.3.5 Maemo Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17A.3.6 Symbian Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . 17A.3.7 Windows Mobile Forensics . . . . . . . . . . . . . . . . . . . . . . . 21A.3.8 Multiple OSs Forensic Studies . . . . . . . . . . . . . . . . . . . . . 24

A.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27A.4.1 Representation of the major contributions in chronological order . . 27A.4.2 Towards a common framework . . . . . . . . . . . . . . . . . . . . . 28A.4.3 Future Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

A.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

6

ABSTRACT

Mobile Forensic is an interdisciplinary field consisting of techniques applied to a bigvariation of handheld device types. A great number of researches have been conducted,concerning various mobile operating systems, data acquisition types and retrieved datatypes. This paper aims to provide an adequate view of the field, by reviewing and presen-ting a detail overview of the actions taken throughout the last seven years. A schematictimeline of the most significant studies will be designed, in order to provide researcherswith a quick but satisfying way of observing the trends within the field. This will as wellbe an analytic progress report, concerning the evolution of mobile forensics. Since thereis a lack of standardization problem, the research can set the foundations for a commonframework proposal. Technology concerning mobile devices is evolving in a rapid scaleand disciplines will succumb to changes frequently. A strong fundamental infrastructurethough will serve to quick and effective adaptation.

c© 2012thc

KwnstantÐac Mparmp�tsalouTm ma Mhqanik¸n Plhroforiak¸n kai Epikoinwniak¸n Susthm�twn

PANEPISTHMIO AIGAIOU

7

Kef�laio 1

Introduction

Internet and Information Technology (IT) are no longer a novelty, but a necessityin almost every aspect concerning people’s lives, extending to a great variety of purposes,from business, education and public health to entertainment, commerce and even more.Models and behavioral patterns succumbed to changes, in order to adapt to the new con-ditions. It is inevitable that delinquent actions and patterns followed the same directionconcerning their evolution and differentiation. Cyber crime and even involvement of ITinfrastructures in lesser or major criminal activities lead to forming a new discipline, Di-gital Forensics (DF), equivalent to classical forensics where “evidence analysis takes placeusing data extracted from any kind of digital electronic device” [13]. A digital device canparticipate in a crime by different means. “It can be an instrument of a crime, a target ofa crime or a storage of evidence” [29]. Due to different attributes among types of digitaldevices, there have been multiple forensic disciplines concerning each one of them. Thus,DF is divided to the following categories: Computer Forensics, Network Forensics, SmallScale Device Forensics (Mobile Forensics), Forensic Audio and Forensic Video.

Technology concerning mobile devices has presented revolutionary growth during thelast decade. Mobile phones, enhanced with hardware and software capabilities didn’t onlyserve as means of communication, but as small scale portable computers with extendedcommunication capabilities. “Mobile phone forensics is the science of recovering digitalevidence from a mobile phone under forensically sound conditions using accepted me-thods” [20]. Since their use has become widespread, the probability of being involved ina criminal action is growing bigger.

The field of Mobile Forensics is challenging by default, since devices have differentfunctionality behavior comparing to desktop computers, laptops and notebooks. Quickerpower consumption in mobile devices is a factor to be taken into consideration. Handhelddevices battery resources vanish in a more rapid scale than computers and investigatorsneed to predict about being equipped with the appropriate charging cables. Technologyis evolving in a quicker scale when it comes to mobile devices. While some methods maybe effective for a certain device or Operating System (OS) version, they may be uselessfor its successor. Variety of models and OSs can also raise a barrier, concerning usagetraining. Investigators charged with the task of interacting with the devices have to beadvanced users, in order to avoid the case of human driven errors. On the other hand,the amount of acquired data from small scale devices is considerably smaller than the oneretrieved from personal computers [47].

The rest of the thesis is structured as follows. In Chapter 2, the scope, limitations and

8

methodology of the research are presented. Chapter 3 enumerates, classifies and analyzesthe criteria that will be used for the application of methodology. Section 4 containsa detailed description and review of the state-of-the-art, while Section 5 serves in theresearch timeline presentation. Discussion and conclusions are presented in Sections 6and 7. Finally, Section 8 provides the appropriate background for future work on thefield.

9

Kef�laio 2

Scope, Limitations and Methodology

2.1 ScopeThe main target of the research is to create a literature timeline, consisting of

milestones and significant studies. As a result, newcomers or even experts of the fieldwill be able to have a compact image of the state of the art. This will also work as amotive for researches and will provide scientists with the necessary supplies. [26] claimthat one of the major difficulties in the field of mobile forensics is the “general lack ofhardware, software andor interface standardization within the industry” [26]. This factmakes forensic examination a hard task, especially for unified research. The presentresearch aspires to provide a complete view of the state-of-the-art, by performing an in-depth study of the field. A schematic representation concerning the research timeline andthus facilitate further observation is within the scope of this thesis. Unifying such a vastresearch area is a hart task to complete. A proper classification of structural elementsthough would serve in clarifying the field. The most critical parameters were related tothe most significant differences among the characteristics of the devices. After both theclassification and schematic representation procedures are completed, tendencies, trendsand attitudes will be easily grouped and then discussed.

2.2 MethodologyWhen dealing with a research area for the first time, it is a principle to observe the

dominant disciplines. After querying resource databases, such as ACM, Science Direct(Elsevier), SpringerLink, Taylor & Francis, etc. with general purpose keywords (mobileforensics, data acquisition from mobile devices, “OS name” forensics), a respectful amountof research papers were returned. Existing knowledge and information deriving frombibliography are combined in order to form a categorization of the most significant aspectsof the field. Classification is divided to two major categories. The first one concernsgeneral characteristics, such as publication date and presence or absence of low levelmodifications (root /jailbreak /capability hack).

The second subcategory is more complicated and consists of the following three para-meters: acquisition type, OS type and extracted data type. Both subcategories appear inthe final timeline. Once categorization is complete, a first outline of the timeline sketch iscreated. Rectangles containing years are placed vertically at the left and right edges of thegrid. Meanwhile, the horizontal bottom part, right after the end of the last year rectangleis divided into three parts, related to low-level modification mechanisms. Studies may co-

10

ncern modified devices, non-modified ones, while in some others, both types can coexist.Each category corresponds to the onethird of the grid. Research papers are placed asseparate entities of different shapes, with unique texture and letter characteristics. Finalformats will be decided later in the research. The next step is to check whether the searchresults meet the classification criteria and modify the ones needed. A more careful studyon the field concerned further search about critical issues present within the literature.Keyword selection became more specified and issues oriented. Literature resources werethen gathered and their bibtex citations were exported and grouped in JabRef referencemanager in author‘s last name alphabetical order. Use of specific kind of numbering isessential, since it is going to serve as an entity identifier in the timeline. From a totalof fifty-four literature resources, thirty-three were considered significant and relevant tothe initial scope of the research. Each entry was examined, got classified according tothe existing criteria and took its place in the timeline diagram, according to the year itwas published. More information about each entity format will be provided in the FigureExplanation section. Meanwhile, equivalent bibliography resources will be evaluated andreviewed. Thus, potential readers will be able to access a more analytic view on the field.When the final form of the timeline is complete, it will serve as a source of argumentsconcerning the trends and state-of-the-art.

2.3 LimitationsDealing with mobile devices forensics from the very beginning of their existence

would be a time-consuming and outdated procedure, since literature related to them ispoor and older generation devices are not used anymore. The complexities of smartphonesfunctionality, in addition to the fact that more and more subscribers obtain such deviceslead to the decision to limit the research solely to the smartphones area. Assumptionsabove also impose time limitations; thus only research papers written after 2006 will betaken into consideration. “The important processes involved in a cyber crime investigationare evidence identification, seizure, acquisition, authentication, analysis, presentation andpreservation” [39].This paper will mainly focus on acquisition, analysis and presentation.Many studies throughout literature had been using commercial forensic suites in order toextract final conclusions. This research is trying to dive deeper than that. Development ofcommercial forensic tools is based on elements of the main acquisition types. As a result,the study will focus on implementations and experiments which aspire to amelioratethe quality and effectiveness of already existing acquisition techniques. Papers utilizingforensic suites will also be evaluated in a more abstracted level. Despite the fact thatthe research is technology oriented, theoretical background and guidelines are fiercelyconnected to the forensic methodology. Consequently, they are going to be a referencepoint during the research. Even if removable storage media are parts of the mobile devicesthemselves, their forensic examination is bypassed by most of the researchers, since classicforensic techniques can be applied to them for data acquisition.

2.3.1 Low-level Modifications

Low-level modifications can have a variety of names depending on the OS theyare applied to. Either known as rooting (Android, Windows Mobile), jailbreak (iOS) orcapability hack (Symbian), they had been the apple of discord throughout the historyof Mobile Forensics, as their use would work as a limitation to admissibility of evidenceupon court [1, 20] . In generalized terms, low-level modifications grant access to system

11

areas which were by default protected by each OS manufacturer. The privileges usersare gaining after the application of a low-level modification vary among different OSs.For example, Android users are able to install and run applications that require access tothe root directory, such as backup features. In addition to root privileges, iOS users canalso install applications not available in the AppStore. Capabilities on Symbian devicesare security mechanisms that can be bypassed by installing a root certificate and thusallowing users to install and execute unsigned applications.

12

Kef�laio 3

Classification

The three main categories concerning smartphones are related to the prevailing diffe-rences among device characteristics. They are split into three main categories: AcquisitionType, Operating Systems and Acquired Data Types.

3.1 Acquisition TypesFirst and foremost, forensic acquisition from devices is divided into three categories:

manual, logical and physical. Each one of them uses different attributes of the device inorder to extract the wished amount of data. Manual acquisition is summarized to w-hatever an individual is capable of acquiring by interacting with the device itself. Theprocedure may consist of two separate steps: keeping “a log of the actions taken” [12] andinteracting with installed applications in order to copy the existing data [29]. Additionalmeans, such as cameras can be used in order to record the device state [12]. Due to thefact that manual acquisition is the only technique returning data in human interpretableformat, it is necessary to take place simultaneously with the other two kinds. As a result,it will not be examined as a separate category, but will be integrated to the other two.Since the probability of human error is very high and crucial elements can be bypassed,it should be used as a supplementary method. Logical acquisition mainly concerns datathat had not been deleted and is “achieved by accessing the file system” [14]. Data thathad already been deleted are less likely to be acquired, but not impossible. Logical a-cquisition techniques and tools interact with the file system whereas physical acquisitionones access lower areas. This is responsible for different behavior towards certain kindsof files. “Sometimes logical acquisition is not possible, for instance when the device isbroken beyond repair, or when the device does not have a standard interface to do thelogical acquisition over” [24]. Physical acquisition isn‘t related to the file system but tothe physical storage medium. Such a technique is also mentioned as a bitwise copy ofthe internal flash memory [12,35,43]. This kind of acquisition is more possible to retrievedeleted data [16], since they are just considered not allocated, but continue existing. Phy-sical acquisition is a procedure which will more likely lead to destruction of the device dueto human mistakes, so its use is limited to occasions when it is considered the last resort.“True physical acquisition can either mean physically removing memory from the device,using hardware techniques like JTAG to extract data from the device or use an (adapted)bootloader to gain low level access to the device” [24]. These kind of techniques “are notonly technically challenging and require partial to full disassembly of the device, but theyrequire substantial post-extraction analysis to reassemble the file system” [14]. Neverthe-

13

Sq ma 3.1: Mobile OS Market Share

less, it is generally admissible that physical acquisition prevails over logical, because it“allows deleted files and any data remnants present to be examined” [20]. The nature ofphysical acquisition techniques lead to development of alternate, less risky solutions, suchas the “pseudo-physical acquisition” for the Windows Mobile OS [24]. It is not furtherproven though that those techniques are applicable to other Operating System (OS) car-riers.

3.1.1 Operating Systems

A factor of heterogeneity which is an impediment against the development of acommon mobile forensics framework is the existence of different OSs of mobile devices.Current market share, based on a survey conducted by the “sparkwiz.com” web site gi-ves Android and iOS the prevailing percentages, as shown in Figure 1. Other OSs, suchas Blackberry and Windows Mobile are also popular choices. Android, iOS, WindowsMobile, Blackberry, Symbian and Maemo cases are going to be examined throughout theresearch. Selective criteria derive from market share, popularity and appearance freque-ncy among papers search results. A brief overview of the OSs characteristics will be madein the next paragraphs, alongside with their impact to forensic acquisition.

Android

Android was first released in 2007 and in less than five years achieved to be thedominant OS in the mobile handsets market. The OS runs on a Linux 2.6 - based ker-nel, which serves for supporting fundamental functions, such as device drivers, networkinfrastructure and power management [14, 46, 47]. The next level of the android archite-cture is the domain of the libraries, split to application and Android Runtime ones. Theformer category provides the appropriate infrastructure for applications to run properly,such as binaries and graphics support, while the latter “consists of the Dalvik VirtualMachine (DVM) and the core libraries that provide the available functionality for theapplications” [47]. Its main purpose is the creation of a stable and secure environmentfor applications execution. Each application runs in its own sandbox (virtual machine).Therefore, it is not affected by other applications or system functions. Using certain re-sources is only permitted by special privileges. This way, a satisfying level of security ispreserved. While the Android Runtime Libraries are written in Java [47], DVM translates

14

Java to a language that the OS can perceive [40]. The rest of the architecture consists ofthe Applications Framework and the Applications Layer that manage general applicationstructure, such as containers and alerts and the applications themselves. A preview ofthe OS architecture can be depicted in Figure 2.

Sq ma 3.2: Android Architecture

Due to the small chip size, non-volatility nature and energy efficiency, NAND flashmemory was selected to equip Android devices for storage purposes [14, 50]. NAND fla-sh memory needed a file system being “aware of the generic flash limitations and takethese into account on the software level when reading and writing data from and to thechip” [50]. Yet Another Flash File System 2 (YAFFS2) was the first file system imple-mented for devices running the Android OS. After some years of actual use on the otherhand, many issues concerning system performance, velocity of input/output actions andlarge files coverage occurred. As mobile devices architecture tends to follow the path ofcomputers and acquire multiple core processors, another obstacle arises, since YAFFS2can‘t support the specific technology [23]. Right before the release of version 2.3 of theOS (Gingerbread), the file system was replaced to EXT4. The specific file system, apartfrom successfully coping with the weak points of its ancestor, is enhanced with the “jour-naling event function” [23], which provides recovery options and facilitates acquisitionof unallocated files. Android provides potential developers with the SDK (Software De-velopment Kit), which includes a very important tool for forensic and generic purposes,the Android Debug Bridge (adb). Adb uses a TCP or USB connection between a mobiledevice and a computer. The appropriate software is installed at both sides in order toacquire debugging information, start a shell session with the provided interface, initiatefile transactions and add or remove applications [14, 40, 46]. Since adb grants a termi-nal interface, actions like rooting and memory image extraction can be easily performed.NAND flash memory was incompatible to the Linux-based kernel. A new technique hadto be implemented in order to provide the software components with the ability to accessthe flash memory areas [46]. Memory Technology Devices (MTD) system was one of thefacilities serving as an intermediate between the kernel and the file system and is presentin many Android devices. Handsets that do not support the MTD system usually utilizethe plain Flash Transaction Layer (FTL) that enables communication between the twoparts [14]. Although there are no restrictions concerning the MTD numbers or types, acertain standard had been adopted from many device manufacturers [14, 26, 46]. MTDs

15

are divided to several partitions, according to the type of information they store. Theycan contain information about booting, recovery, user data, configurations, cache andsystem files.

Forensically Significant Data

The Android OS is capable of saving data in different areas of the devices. Hoog [14]sorted the specific areas to the following five categories.

• Shared Preferences, mainly concerning .XML and other generated types of informationderiving from application data.

• Internal Storage, referring to flash memory or external storage images. MTDs are themost representative category. They are situated under the /dev /mtd folder and theforensically important ones, are those carrying system files and user data.

• External Storage, related to removable media. This category is beyond the scope of thepresent research and its elements will not be further mentioned or analyzed.

• SQlite, concerning databases. They can be located in different places inside the internalmemory and may contain user or application generated data. Some of the most significantdatabases are related to contacts (contacts.db), messaging (mmssms.db), GPS coordinates(geolocation.db), Google accounts credentials (accounts.db).

• Network, that interacts with internet storage applications (Dropbox, Google Drive) or netpackages and artifacts.

iOS

Similarly to Android, iOS was first released in 2007. It is a UNIX-based OS, par-tially following the architecture of the MacOS X equivalent. The main storage deviceof a mobile phone running the iOS is divided to two partitions. The first contains theOS fundamental structure and the applications, while the second contains all the user-manipulated data [16]. The two bottom layers, Core Services and Core OS provide supportfor low level data types, network sockets and file access interfaces. The Media Serviceslayer consists of the infrastructure responsible for 2D and 3D graphics, audio and video.Finally, the Cocoa Touch layer contains two subcategories, the UIKit, which is equippedwith the appropriate interface material for applications and the Foundation framework,which is supporting file management, collections and network operations [47].

Forensically Significant Data

Data of the higher importance are situated in the data partition of the iOS. Some ofthem are presented within the next few lines [15]:

• Dhcpclient: plist containing IP adresses

• Keychains.db: database with stored application passwords

16

Sq ma 3.3: iOS Architecture

• Logs: system information such as Serial Number (S/N), OS Version and Firmware Version

• Mobile: user data

• Preferences: device and network artifacts

• Root: GPS location info, pairing certificates

• Run: system log

• Tmp: plist backup

Blackberry

Devices running the Blackberry OS are designed by the RIM Company and areconsidered the most popular within the business world. Few things concerning the OSitself and its ingredients are known, since the manufacturer doesn’t provide sufficient do-cumentation. A significant attribute concerning the OS is that it consists of two separateruntime environments, one Java ME-based destined for applications and one MDS-based,destined for network functionality and operations. User data, such as contacts, messages,images and OS artifacts are stored in databases, which are the acquisition target of everyforensic operation.

Sq ma 3.4: Blackberry Architecture

17

Sq ma 3.5: Windows Architecture

Windows Mobile

The Windows Mobile OS is the evolution of Windows CE, used mainly on handhelddevices, such as palmtops and PDAs [39]. It is a Windows-based system, with similarproperties specially modified in order to apply to the nature of mobile devices. One ofthe basic examples in this category is its file system, The T-FAT file system (Transa-ction – safe File Allocation Table) is a variation of the FAT file system used in desktopversions of Windows, enhanced with recovery options [24, 47]. Devices support whetherNOR or NAND flash chips. Likely to mobile OSs mentioned before, the architecture ofthe Windows Mobile OS consists of similar layers. The upper layer, Application UI isthe median between the user and the applications, while the lower layer above hardwareprovides the appropriate infrastructure for completion of system-oriented routine tasks,such as start-up, networking and other functions [38]. Meanwhile, the Framework andCLR layers contain libraries serving to execution and performance of applications.

Forensically Significant Data

The two main sources of forensic treasury in Windows Mobile handsets are the ce-mail.vol and pim.vol databases [5, 12, 24, 38]. Cemail.vol contains “information relatingto communications, including text messages and portions of e-mails” [24] except frommail attachments. On the other hand, pim.vol is a compilation of different databases,concerning call logs (clog.db), contacts, speed dial entries (speed.db) and to-do task lists.Other less popular locations are enlisted below [5]:

• \Documents and Settings\default.hv or system.hv: System Registry Hive

• \Windows\Messaging\Attachments: Mail attachments in .att format

• \Windows\eT9Cdb.Cdb and eT9Rudb.Rdb: User modified T9 dictionary files

• \Windows\Profiles\guest: Browser history, cache and cookies

• \My Documents\UAContents: Random user actions and MMS particles

Klaver [24] introduced the concept of the RAM Heap, as a potential source of evidence.Applications reserve and dismiss memory chunks within the heap according to their needs

18

in resources. Buffers usually take advantage of it in order to store temporary data, suchas location or a draft e-mail or text message. At first, applications reserve some amountof memory with a malloc-type dynamic function and use the free() command in order todismiss it. Even if the free command is complete, data remain in the heap till they areoverwritten. Thus, they can be accessed by investigators.

Symbian

Symbian is one of the older OS in the category, with its first release taking place in1997 as EPOC 32 and discontinued after January 2013. Applications are mainly writtenin Java, while the native language is Symbian C++ [29]. Since many different versions ofthe OS exist, it is inevitable that slight variations concerning its architecture will also bepresent. An outline of the system architecture can be found below. UI Framework is theupper level and consists of the infrastructure responsible for user interface functionality.One step lower, there is the Application Services Layer, hosting essential services forapplications to run properly. A separate layer is devoted to Java ME, in order to providecompatibility with the OS. It contains the virtual machine and some supportive packages.Networking services, handlers and components, graphic support elements and genericservices are combined under the OS Services Layer. Lastly, the lowest level concerns thehardware and kernel infrastructure [30, 47].

Forensically Significant DataThe two major evidence sources within the Symbian OS concern call logs (callLog.dat)and directory contacts (contacts.cdb) [29,34]. Unallocated data concerning Short MessageService (SMS) can be found in the “\Private\1000484b\Mail2 folder” [34,44].

Sq ma 3.6: Maemo Architecture

Maemo

Maemo is a Linux-based, open source OS. Even though it is not widespread, thereare some research- oriented interesting features, such as the fact that user data, operatingsystem functions and swap spaces are situated in different partitions [27]. Forensicallyimportant elements are situated in various databases.

3.1.2 Data Types

Data acquired from forensic examinations can be classified as well, depending ontheir types and the entity that has access on them. The first group consists of data handled

19

and altered strictly by OSs, such as connection handlers (on GPS, WiFi,), OS defaultsand structural elements (IMEI, IMSI). The second group concerns data imported andedited by users, such as text messages, contact lists, pictures and all sorts of customizedapplication data. Data used by applications as background procedures and other similarentries manipulated by applications, form the third category.

20

Kef�laio 4

State-of-the-art

4.1 Standards BackgroundJansen and Ayers‘ work is considered a milestone in the field of Mobile forensics.

They have contributed to a series of guidelines for mobile forensics, which are updatedaccording to changes occurring to the state of art, under the surveillance of NIST. Gui-delines were not a theoretical set of rules, but assumptions deriving from experience infield investigations. They determined their own work as means “to help organizationsevolve appropriate policies and procedures for dealing with cell phones, and to prepareforensic specialists to contend with new circumstances involving cell phones, when theyarise” [20]. They set the report as an essential background for every upcoming investi-gation but not as a strict set of orders, since exceptions to rules can always be present.The report was edited according to the regulations of the Federal Information SecurityManagement Act (FISMA) of 2002, Public Law 107-347. A forensic investigation mustbe a sequence of actions, consisting of the following steps: “acquisition, examination, a-nalysis and reporting of retrieved data” [20]. It is notable that researchers who took thisguide into consideration followed the same pattern with small or no deviations. An officialset of regulations demands a proper technical background setup. As a result, the writersprovided the potential readers with the most important infrastructure elements of mobilephone providers‘ networks and devices. Afterwards, they classified the acquisition tech-niques to the two main categories; physical and logical, while making a brief explanationof the characteristics of each. They proposed that conduction of both acquisition typeswould be the most complete solution under real-time investigation circumstances. In ad-dition, they enumerated the officially certified forensic tools and the attributes coverageeach one had. By the time of publishing, the majority of tools implemented concernedSIM modules. Tools supporting mobile devices OSs had also been developed, but in amore limited scale. Lastly on the specific area of interest, they posed the main challengeconcerning efficiency of forensic tools. An acceptable tool should be capable of preservingacquired data integrity to their original state. This could be achieved by the use of hashfunctions. The next chapter in the guide concerned the setup of the investigation sceneand limitations that would prevent an acquisition from being admissible upon court. Themost significant part of the research was the one concerning data handling upon and afterthe crime scene. Based on the “Good Practice Guide for Computer-Based ElectronicEvidence” [1] regulations, they concluded that there should not be any data modificationafter devices seizure and every step of the investigation should be documented by certified

21

professionals and guided by the overall responsible practitioner. These specific restrictionsare the main source of trouble to the technical part of the investigation because their at-tributes are contrary to the nature of mobile devices. Description of data and evidencepreservation was the next key point in the report. Seized devices should be stored inforensically “sterile” means, be disconnected from any networking source and their stateshould remain as close as possible to the one it had at the moment of discovery. Moreo-ver, investigators are challenged to acquire any possible non-technical evidence from thedevice, such as fingerprints and DNA, before proceeding to further technical examina-tion. Network isolation had been the apple of discord, since there have been two differentdisciplines towards that direction. Switching the device off might activate security me-chanisms, while network isolation through “flight mode” would alter the device state.One of the first dilemmas concerning acquisition, was whether it should be performed“on the fly”, or inside a forensic laboratory. After enumerating the essential informationabout the device without interacting with its software, investigators were able to beginthe acquisition procedure for all the memory types present on the device. The first stepwas to ensure that certain prerequisites are present so the acquisition procedure to startwithout any errors or misuses. Some important features to be acquired in the beginningwere date and time. Extra attention should be paid in case of intentional changes on dateand time from the side of the suspects or unintentional, in case of battery removal. Thewriters provided an extra appendix with a detailed acquisition process, enhanced withscreenshots. They next set a priority queue for acquisition types. Due to the risks thatmay appear during physical acquisition, it is preferred that logical acquisition should beperformed first. Then, acquisition for identity modules was described. A whole chaptersection was devoted to powered-off devices or handsets that require any kind of securitycode, providing the available solutions in order to bypass or acquire the essential codesthat can be either hardware/software driven, manual or even supported by help from aprovider. Special sections were also provided for removable storage media and other peri-pherals. The section concerning the examination procedure is the phase after acquisitionwhere there is no longer interaction with the device. Logical andor physical images hadbeen examined for data of forensic interest, or even for data that could work as mediansto other data, such as passwords stored in a database, e.t.c. Acquired data had beenclassified to an extent that can determine the actors, places, time and motive of an inci-dent. The section also contained information about subscriber details and call recordsthat can be acquired from a telephony service provider. In the last chapter referring toreporting, the writers gave a detailed guideline concerning on diffusion of the results ondata acquisition.

4.2 iOS ForensicsZdziarski achieved the breakthrough of implementing a physical acquisition tech-

nique, especially designed for the iOS. There are no other similar attempts in literatureuntil the time being. It was generally claimed that even the jailbreak technique he usedwas superior to other widespread ones [15]. The unique feature of the method focusedon changing an amount of data in the system partition but left the user data partitionuntouched. Ideal state of no data modified had not been achieved; a forensically soundimage of the user data though had been a breakthrough. Then, he booted the test devicewith a “recovery toolkit” [49], which contained the essential software in order to obtain

22

a bitwise copy of the memory image. Another interesting feature was the utilization ofSSH in the recovery toolkit in order to establish an encrypted bridge between the deviceand the workstation. Bypassing the protection code was accomplished by the installationof the iPhone Utility Client (iPHUC) on the workstation. Finally, file carvers, SQLiteDatabase Software and other recovery/viewing programs were used in order to convert theacquired image to human interpretable format. Zdziarski contributed a major advance inthe iOS forensics field. The research though needs to be continued, since new versions ofthe OS are implemented and previous techniques may become outdated.

Hoog and Gaffaney set the basis of forensic investigation for the iOS, with a detailedoutline of the state of the art and applicable methods till that point. After presenting themost important technical attributes, they classified acquisition methods (manual, physicaland logical). Commercial forensic tools performing physical, logical or both types ofacquisition took place in the survey, as well as Zdziarski ‘s physical dd method [49]. Dataextraction was carried out by the iTunes backup feature, with automatic synchronizationoption deselected. The test device, an iPhone 3GS (2.2 firmware), not having been througha jailbreak process was filled with any kinds of data that can reveal user interaction withthe phone, as in a real case study. The researchers then implemented an evaluation methodfor each acquisition procedure, consisting of certain factors, such as ease of installation anduse, acquired data integrity, etc. Each of the factors contributed in a different scale to thefinal result, according to its relevance to the acquisition procedure. When the evaluationwas completed, Zdziarski‘s method gathered the biggest score. Research results haveshown that different forensic tools lead to different acquired data quantity and quality,according to their characteristics.

Morrissey had also discussed logical acquisition on iPhone devices by the use of theiTunes backup feature. The research was applicable to iOS versions prior to 4 that had notbeen jailbreaked. Acquisition procedure was enhanced by the use of mdhelper, a commandline-utility specialized on data parsing. Mdhelper was not considered an essential add-on;on the other hand, it was able to facilitate investigators navigate through retrieved dataat low time cost. Automatic synchronization had to be disabled since the beginning of theprocedure, in order to reassure the forensic soundness of the retrieved data sets [20]. Afterthe acquisition point, evaluation testing was similar to the one performed by Hoog andGaffaney [15]. Contrary to Hoog and Gaffaney, evaluation results were calculated onlyfrom the amount and quality of retrieved files. Morrissey concluded with low temperedattitude towards forensic tools, implying the need for more efficient techniques.

One of the prevailing acquisition techniques concerning forensic acquisition from iOSdevices is obtaining a logical backup via the iTunes backup feature. This approach wasalso studied by Bader and Baggili [2]. The test subject phone was an iPhone 3GS, nothaving been through a jailbreak procedure. They claimed that, even if there exist a fe-w physical acquisition techniques, iPhone devices are mainly examined through logicalacquisition. After ensuring that conditions of the research were compliant to forensicstandards [20], they connected the device to two computer workstations (Windows andMac) and initialized the backup procedure without triggering the synchronizing option.If synchronizing feature had been powered on, data on the phone would be altered andcould not be considered an admissible piece of evidence [20]. On the other hand, somemodification to the device data had been traced, since activation of a write-blocker failedwhen the computer was connected to the workstation via USB. “The acquired backup wasparsed and viewed using specific tools, such as pList editor, SQLite Database Browser” [2]

23

and other file parsing utilities. A unique trait present in that research was the detailedoutline of the whole examination procedure imposing the framework and limits within itwas conducted. Some limitations had come to surface during the experiments procedure.iTunes versions prior to 8.2 were unable to interact with the iPhone 3Gs device. This as-sumption pulls a trigger to a general discipline concerning attitude towards experiments.The more approaches are examined, the more detailed and appropriately oriented a resea-rch can be. Since logical acquisition leads to extraction of a vast amount of data, isolatingand analyzing the most important for the investigation can become demanding.

Both workstations backup folders were compared to each other. The same sequenceof alphanumeric characters appeared to be the folder name for the two of them, leadingwriters to the conclusion that the file name was a hash function output, unique for eachacquisition deriving from the same device, with the same timestamp. The backup foldercontains several subfolders, each named after a hash function value. “Backup data isstored in three file formats, pList files which store data in plaintext format, mddata fileswhich store data in a raw binary format and mdinfo files which store encoded metadataof the corresponding mddata files” [2]. Special software was used in order to decodethe files mentioned above, such as pList and SQL editors. They also made a smallreference to manual acquisition with terminal commands, as an additional data sourceand means of comparison. Afterwards, they made a classification concerning the datatypes acquired. Parsers were used in order to convert binary files to the original state.Finally, they proposed the development of open-source software in charge of handling datafrom pLists, databases and printing the appropriate reports. Another challenge arisingwas the acquisition methods for password protected devices, or groups of encrypted data.

Husain et al., after expressing a general disappointment towards commercial forensictools performance and disadvantages of individual acquisition methods [49] or acquisitiontechniques involving the “jailbreak” procedure, proposed a framework for iPhone forensicinvestigations, consisting of three phases; “data acquisition, data analysis and data re-porting” [16]. The presented procedure doesn’t have notable differences to other studiesin the field, but could be proposed as a general framework. Acquisition had been perfor-med via the iTunes backup utility, but the researchers didn’t mention sync deactivation.Decoding retrieved data was carried out through the use of file parsers and plist editors.In order to bypass security codes, they proposed the seizure of the computer that maybelong to the suspect or victim. This assumption though isn’t always applicable, since theinvestigators might not discover any workstations or even the suspect might not possesany computing devices. The arguments are not referring to a general condition, so theproposal is unable to become an official framework for investigations.

Social networks have become the center of attention, since they gain more and mo-re subscribers every single day. Data deriving from mobile versions of social media canbe an important source of information for investigators. [22] discussed social media dataexported from mobile versions of social networks for the versions 3.x and 4.x of the iOS.Even if the research is restricted within the limits of a country, the sample can be repre-sentative since some of the social networking applications used, are popular worldwide.Before beginning the experimenting procedure, the researchers split the acquisition pro-cedure to two main categories; the first concerned devices security mechanisms of whichhad been bypassed by the use of the jailbreak technique, while the other was referring todevices that hadn’t been through any kind of change. Less attention was given to the firstcategory, since the writers skipped the acquisition method used. On the other hand, they

24

gave pretty much attention to the second category, where they used one of the commonapproaches for acquisition [2] , the backup feature of iTunes. Extracted backup data arethe same in both OS versions, but metadata have a different format. For instance, inversions 3.x, the extracted data file has the .mddata extension and the .mdinfo is createdfor the metadata. In versions 4.x, “all information on the backup file is saved as a pair offiles, manifest.mbdx and manifest.mbdb” [22]. The next step in the survey was to gatherand compare the retrieved results from the social networking applications, as well as thepaths to data. Data deriving from backup acquisition were stored under a hash value,while those extracted from the jailbreak devices were stored directly with their file nameand type. Afterwards, the information of major forensic importance, such as multimediaimages, user driven social media attributes and geolocation data were categorized. Apretty interesting aspect concerning multimedia files (photos and videos) was spotted,since an iPhone device by default relates pictures taken from its camera to the GPS co-ordinates of the place it was taken. This information could be extracted separately, butthis feature couldn’t be used in social media applications, because of the fact that theOS itself creates another picture folder, where photos to be uploaded are stored withoutthe geolocation data available. In the end, they focused on behavioral analysis of datamanipulation concerning each application and concluded that all of them have differentstructural attributes. Information concerning temporary files from Facebook could onlybe retrieved from Jailbreaked devices. The research gives food for thought for furtherexperiments in the field of Social Networking applications.

Within their research, [45] determined the iTunes backup utility as a prevailing methodfor Logical acquisition from devices running the iOS. Introduction began with a detailedpresentation of the features that provide forensic importance to iTunes. One interestingaspect was the explanation on how application data reside in and can be collected froman iPhone handset. Technical details had been analyzed in depth; however, there was notrace of compliance to SSDF standardization. For example, the option of de-activatingsynchronization wasn’t even mentioned. They then enumerated the arguments concer-ning data deriving from Social Network and chatting applications (Facebook, WhatsAppMessenger, Skype, Windows Live Messenger and Viber) use, which was the initial scopeof the research. The test device was an iPhone 4, running iOS version 4.3.5. The experi-ment consisted of two phases. The first concerned data acquisition after apps installation,while the second after deletion. All the applications tested, apart from Facebook, storedadditional data in the backup folders, which could be easily decoded by the use of pListeditors and a SQLite browser. Results were satisfying the needs of a forensic investigation,but there were still some spots needing extra attention, such as encrypted and unallocateddata. The case study of a device being through jailbreak needs to be covered as well.

4.3 Symbian Forensics

[29] discussed the development of an on-phone forensic logical acquisition tool for theSymbian OS (Version 7), which is based on the disk duplicate (dd) technique on portabledevices running Linux OS [29]. At first place, they made an introduction to OS cha-racteristics and then classified acquisition methods. Their approach consists of manualacquisition, use of forensic tools, logical acquisition including a connection agent , physicalacquisition and data acquired from service providers. Use of forensic tools as a separatecategory is disputed, since they serve as automated solutions in order to interpret logical

25

and physical acquisition results to human readable format. On the other hand, data re-trieval from a phone service provider(citation needed) is a completely irrelevant procedureto other acquisition types. It would be more appropriate, if its use was complementaryto the results deriving from manual, physical and logical acquisition tasks, in order toensure data integrity. However, the classification provided by the authors, depending onthe period of time the article was written, is quite accurate, since it was only then thatmobile devices started becoming complicated and needing different kinds of acquisition,apart from SIM module and phone service provider ones. Later on the paper, they clarifythat when interaction of a forensic tool with the target mobile phone is kept at a lowscale, then it is more likely the evidence deriving from it to be admissible upon court.After enumerating the possible ways of installation concerning the on-phone tool, theycame into conclusion that the way that causes less data differentiation is saving the toolinstaller on an external memory card and then placing it inside the target device.“Eventhough it may change certain parts of the operating system, the changes are very littlecompared with placing an entire installer which still has to be extracted” [29]. This ap-proach was the best preventing alterations of data, but presented other disadvantages.Acquired data were stored in the same memory card carrying the application installationfile, so the acquisition destination was not forensically sound. Furthermore, they usedrecognizers, which “are written as plug-ins to the MIME Recognizer Framework and arescanned for and loaded during operating system startup” [30]. Thus, the tool was ableto start when the phone was booting and thus to avoid further interaction. Choosingbetween Java and development of a native application using C++ Symbian programminglanguage was another challenge faced. The option selected was the native applicationone, since it gained access to lower levels of the operating system by default; this way,acquisition of bigger quantities of data was possible. Another negative trait of the toolwas that it was unable to acquire data from applications being executed at the sametime, since it couldn’t handle the processes running. As a result, data of high forensicimportance could not be acquired, such as call logs and contact lists (CallLog.dat andContacts.cdb files). Data retrieved were mainly modified and created by the users andhandled by applications. There was no trace of data manipulated by the OS or otherstructural elements. Despite the fact that the method presented had major issues waitingto be solved, it became a source for further research.

After a brief but fruitful presentation of the state of the art concerning both smart-phone usage spread and forensics standardization, DiStefano and Me proposed anotheron-phone logical acquisition tool for devices running the Symbian OS version 8 and ol-der. Even during a period when acquisition was conflicting with the use of commercialforensic tools and performing a bit-by-bit acquisition of the internal memory of the de-vice was considered an impossible task, they achieved to retrieve “the all Symbian filesystem” [11]. MIAT (Memory Internal Acquisition Tool), the tool they developed, is con-sidered the evolution of Mokhonoana and Oliver’s equivalent. Taking into considerationthat the versions tested were older than 9, there was no security mechanism to bypass.During the acquisition process, the tool opened and copied on read-only mode each entryit stumbled upon while traversing the file system tree. They also managed to correctprevious defects, since the memory card inserted into the device in order to complete theacquisition was forensically sound and divided into two different partitions; one contai-ning the tool application installer and the other destined for the acquired data. Moreover,acquisition procedure was enhanced with the use of a hash function, in order to assure

26

that the data retrieved were identical to the original. They also conducted experimentscomparing MIAT to Paraben Device Seizure, a commercial forensic tool and P3nfs, anapplication which is not a forensic one, but was claimed to “mount Symbian file systeminto Linux file system” [11]. After completing the experimental process, it was assumedthat MIAT showed many advantages compared to the other tools. Parallel support forsimultaneous examinations reduced the time needed in order to complete the investiga-tion. Moreover, files that succumbed to changes after the use of MIAT were fewer thanthe ones Paraben tool changed. Last but not least, the extracted data size was almostthe same for both tools. MIAT was properly documented and researchers set the properbase for future research, support of version 9 and ameliorations. Another accomplishmentnoted was the further development in order to give the tool a form that could supportreal-time investigations. It is obligatory to mention that there was no mention concerningthe types of data acquired. That fact would make the research procedure more completeand clarifying.

[48] noted the forensic techniques incompatibilities between smartphones and onesrunning the Symbian OS and claimed that the last ones need a separate approach. Atfirst place, they conducted a research concerning the investigation models applicable tothe digital forensics field. Before proposing a similar model for the Symbian OS, theyexposed the state of art for the specific kind of phones. New security mechanisms, star-ting from version 9.0 (capabilities) and their effects on a potential forensic investigationwere discussed. The proposed model consists of 5 stages. The first stage concerns a-cquisition of the version and model without directly interacting with the OS. It is alsochecked whether the mobile device is protected by security mechanisms or not. If secu-rity mechanisms are present, then investigators use a protocol or a hardware approachconcerning physical acquisition (via remote connect and response protocols or JTAG chipconnection respectively). The techniques mentioned are the ones interacting less with thesecurity mechanisms. Their only interference includes gaining access to the swipolicy.inifile and then root privileges on the device. If security mechanisms are not present, thenuse of every forensic tool is applicable. Poor documentation concerning acquisition types,other than a reference to Mokhonoana and Oliver‘s tool, is reducing the reliability of themodel. The next two steps apply to extracted data analysis and diffuse of the result.Another negative aspect is the lack of documentation concerning standards in the field.Nevertheless, the process model can be useful for future investigations if extended.

Pooters created Symbian Memory Imaging Tool (SMIT), which is mentioned to bethe first on-phone tool to “create linear bitwise copies of the internal flash memory” [34].SMIT, designed for Nokia cell phones, is mainly based on a hybrid method consisting oflogical acquisition techniques and boot loader class methods. It also makes use of theSymbian OS API in order to gain access to the file system of the device. The researcherclaims that the developed tool is able to recover hidden data from slack areas and unallo-cated of the memory, due to the support provided for low level system calls. Since SMITis an application installed in the mobile device and used for live forensic purposes, it altersits original state. As a result, the researcher adopts techniques for the application to beable to comply with the NIST Guidelines on Cell Phone Forensics [20], such as use ofMD5 and SHA-1 hash functions and reducing write traces. The application was compati-ble with Symbian Versions 8.1 and newer. Accessing the lower level API instead of the fileserver one is automatically giving more privileges over drive manipulation and access. Itis notable that SMIT acquisition was more fruitful on the test devices running Symbian

27

9.0 than on the 8.1 ones. On 8.1 ones, the only partition recovered concerned systemdata, while 9.0 devices returned both system and user data partitions. The writer claimsthat further research needs to be conducted for version 8.1, but , taking into considerationthe current market share, priority should be given to other kind of devices. Rooting, theapple of discord concerning mobile devices is also present in Symbian cell phones. Inorder to accomplish installing SMIT properly, it was obligatory to use a capability hack.“Capabilities are a mechanism to control the actions an application is allowed to performon the operating system” [34]. In this case, Pooters used the HelloOx modification, ahack destined for rooting Nokia mobile phones. After competing drive mapping, it ex-tracts itself directly on the virtual ROM drive, proceeds to root certificates installationand patches memory pages in order to prevent the capabilities mechanism from functio-ning. Nevertheless, compliance of Helloox and other third party rooting applications withforensically sound disciplines is still controversial. [20]. The writer proceeds to a briefpresentation concerning analysis techniques of retrieved flash memory images. Then, heexposes data types of forensic interest acquired from the device, varying from applicationdata to user edited and deleted ones. Developing a tool like SMIT was a big step in theSymbian forensics field, since none of its ancestors, such as MIAT [11] were capable ofretrieving a bit–by–bit copy of the file system. Moreover, it had the unique trait of deleteddata retrieval, which is a weak point concerning logical acquisition based tools. Accessto the low level operating system API calls allows the advantages of logical acquisitionto combine partially with physical acquisition traits without facing the circuit destru-ction challenge. Due to the hybrid nature of SMIT, Pooters provided a slightly differentclassification of acquisition methods. He divided physical acquisition in two categories,Chip extraction and JTAG, while adding the level of Bootloaders between physical andLogical extraction. Yet another research stands against the obstacle of rooting withoutaltering the original state of data on the device, but the use of hash functions preservesdata integrity. Further research is needs to be conducted for retrieval of files altered bythe operating system itself, such as GPS and PIM activity, but also for database files.Expanding functionality of SMIT to other brands apart from Nokia would be a positiveoutcome as well.

Thing and Tan went further through the Symbian Forensics field. They mainly fo-cused on retrieval of privacy protected data on smartphones running the Symbian OS.The two devices used in experiments were Nokia ones, and were running OS versions 9.4S60 5th edition and 9.3 3rd edition. Their study concerned acquisition of allocated anddeleted SMS from the internal memory of the devices. No acquisition type was men-tioned, but since the study was concerning protected data, could be applicable to bothphysical and logical methods. At first, they exposed the current situation concerningSMS recovery tools and concluded that their area of effect had been pretty limited andeffective in certain particles, such as the SIM module. Afterwards, they claimed thatthe main obstacle in internal memory acquisition was the existence of default securitymechanisms, not only for the Symbian, but for other types of OSs as well. As versionsof OSs evolved, it is becoming more difficult to penetrate the security locks that preservethe integrity and availability of sensitive data. As a result, they implemented a techniquein order to bypass the AllFiles capability that leads to unlimited access to the Symbianfilesystem. The researchers managed to “create a sub-directory \sys\bin under any di-rectory in the phone, place executable files in it, and then map it to a new drive letter,effectively placing these executable files into the valid executable path” [44]. They also

28

configured a Symbian Authority Certificate and integrated it in the device with the aidof the mapdrive API, by “triggering the Symbian Certificate Store” [44]. By that way,they had been capable of allowing their tool to acquire permissions of executing differentkinds of commands while leaving other security mechanisms activated and providing themfrom intervening to its functionality. This is considered a revolutionary technique, sinceits ancestor capability hacks like HelloOx different versions [34] totally disabled securitymechanisms, making the handset a potential target for malicious attacks. Since securitylocks had been bypassed, they were able to locate the previously invisible path to thefolder containing the unallocated and active SMS within the internal memory, which wasthe \Private\1000484b\Mail2 one. They figured out that each file entry inside the fol-der referred to an allocated SMS. Moreover, they implemented an algorithm in order toperceive properly “the actual packet and message length” [44]. Acquiring deleted SMSfrom the index file was a slightly different procedure. The fact that every deleted messagestarted with a certain sequence of digits and alphanumeric characters facilitated theirwork. Along with a maximum number of bytes (64) that had been noted for every de-leted entry and observation of different kinds of indices, messages up to that bytes limitcould be partially or fully recovered. Researchers proposed future expansion of the sameexperiment to other types of protected data, such as MMS, e-mails notes, etc.

Thing and Chua developed a physical acquisition tool for Symbian phones, entitledSymbian Acquisition Tool (SAT), written in Symbian C++ [43]. The test subject phonewas a Nokia N97 running the S60 5th edition. “The tool composes of an Acquisition Pro-gram, a Memory Extractor Module, a Hash Generation Module and a File CompressionModule” [43]. The Acquisition Program triggered the Memory Extraction Module, whichstored the bitwise copy of the memory image at a removable storage media. The HashGeneration Module was necessary, since it computed the SHA-1 value for future verifica-tion tasks. File Compression Module was used for reducing the image copy size in orderto fit to the removable storage media. The next step concerned filling the device memorywith different kinds of data, deleting and/or adding new ones and extracting result co-ncerning fragmentation. It seemed that fragmentation levers were higher when many filemodifications were taking place. Research would be extended with other handset modelsexcept from Nokia ones and with other OS versions.

4.4 Android Forensics

Lessard and Kessler’s [26] work concerns the procedure of acquiring a physical imageand performing logical acquisition on an Android device. The test phone used during theexperiments was “an HTC Hero running Android 1.5” [26]. They suggest a simultaneousexamination of both the flash memory and the removable SD memory card. Removablememory cards may not store critical types of data, but some of them could be usefulto the investigators. Examination process referring to the removable card can easily beperformed by a commercial tool, in this case AccessData’s FTK Imager v.2.5.1. Theuse of a write blocker is a prerequisite, in order to avoid data modification. This ispartially “achieved by documenting all the actions performed on the target device”. Itcan later be verified that the sequence of actions did not compromise the integrity of theevidence [20,29]. On the other hand, internal memory contains more data of major forensicimportance, such as contacts and calls lists, text messages e.t.c. Physical acquisitioncannot take place without gaining super user privileges on the target phone. Rooting

29

is achieved by using a third party program or an exploit, but it alters system data andthis results in preventing the device from being forensically sound. The writers assumethat this is the only way to achieve an acquisition of a physical image until another way,altering data in a minor scale is discovered. After successful rooting of the target phone,investigators can access every possible area within the phone memory. MTD blocks, which“allow for the embedded OS to run directly on flash” [26], contain useful information,such as system files and user data. By using the dd command on adb shell , imagesof each mtd file present in the \dev\mtd directory are acquired. Afterwards, memoryimage files are examined by a commercial forensic tool kit and useful files and entries areextracted. Using a forensic toolkit not only facilitates the forensic procedure, but alsoenables partial or full reading of fragmented and/or corrupt files. Flawless extractionof data was impossible. Nevertheless, data from all three categories were returned tothe researchers and formed a satisfying image concerning the use of the target mobiledevice. Useful information was also retrieved from system databases and web browsersvia logical examination of the \data\data directory. UFED, another hardware forensictool performing logical acquisition only was used in order to have a more accurate imageof the extraction results. After gathering and comparing data extracted from both kindsof acquisitions, Lessard and Kessler [26] concluded that each one contributes by providingsatisfying results in different kinds of data. Despite the fact that research was conductedduring the very beginning of the Android forensics discipline, results provided are accurateand research is cited in future works.

Andrew Hoog set the milestone in the field of Android forensics. After a brief introdu-ction to forensics of all scales, he categorized and presented the two dominant acquisitiontechniques, logical and physical, in details. Once again, the data integrity and presen-tation of a forensically sound set upon court was disputed, since the nature of mobilephones functionality is not compliant to the existing regulations for computer forensi-cs [1]. At first, Hoog set the framework for handling a device before the beginning ofany acquisition process. These steps included bypassing user passwords for screen lockingor deactivating it by the settings menu, dealing with switched-off devices, isolating thedevice from any network sources and being aware of providing charge when needed, so asto avoid interruption before or during the acquisition process. Right after enumeratingthe possible ways of network isolation and evaluating the advantages and disadvantagesof each, the writer concluded that the most appropriate method is enabling flight mode ofthe device, if possible. Then, he suggested the use of adb in order to check for an existingusb connection and then perform the task of logical acquisition. If the target device isnot rooted, adb connection will not be completed successfully. Later on, he described thephysical acquisition techniques, Joint Test Action Group (JTAG) and physical extraction(chip-off) and proposed their application when the investigators wouldn’t be capable ofperforming a logical acquisition. Hoog provides an in depth presentation of a forensic exa-mination of the removable (SD) or embedded (eMMC) media, while similar field studiesbypass the subject. Bypassing security codes was a major issue faced. One applicabletechnique, concerning on-screen shape locks, was smudge attack. Pattern locks could berevealed by using different angles of lighting on the screen. An alternate solution was bo-oting into recovery mode, considered obligatory if the device had been powered off. Thewriter focused on the use of a write blocker in order not to alter the state of the device bymistake. Afterwards, he enumerated and described the most popular logical acquisitiontechniques, including adb, AFLogical tool, Cellebrite UFED and others. The following

30

section concerned a detailed description of hardware (JTAG) and software (bootloaders)physical acquisition techniques. In the end, he emphasized in the importance of the useof MD5 hash functions in comparing the acquired files.

As smartphones started becoming more complicated than their ancestors, new attribu-tes were added at their functional state. One of them was the Global Positioning System(GPS), uses of which varied from checking in actions for social networks to navigationpurposes and images metadata. Data logs from such applications or even raw forms fromthe GPS system itself are a valuable source for investigators, since they are able to enli-ghten cases in depth, especially when they are enhanced with timestamps. [28] introducea technique that serves in acquiring all the available geodata present inside a smartphone.They claimed that rooting is obligatory in order to gain access to applications containingthe needed data. The extracting procedure consisted of the following steps: performingsearch queries for attributes related to them (latitude, longitude, altitude) in applicationdatabases and storing them to a database suitable for the specific type of data. Dataconcerning geo-position can be stored in other forms, such as text metadata that couldmake their acquisition a difficult task. They can also be retrieved by searching for spe-cific terms related to location and then stored in a database appropriate for their form.Geodata conversion functions are taking geodata or metadata as input and return themin human interpretable format for further editing (XML). A way of presenting geodatain a compact form is by the use of an API, similar to Google maps, containing pins andother significant enhancements. Apart from specific locations, the presentation procedurecan also return the routes the cell phone owner followed. The researchers implemented aforensic acquisition tool, Android Forensic Toolkit, suitable for Android version 2.2 pho-nes and geodata analysis and presentation was a feature under development. No linkagebetween the data extraction procedure and the program was provided. Forensic analysisderiving from geodata is a precious source of evidence and the data to be extracted shouldbe taken into consideration in potential acquisition procedures.

[25] implemented a live-forensic acquisition procedure, based on commercial forensicsuites through cloud computing, designed for Android devices. After a brief introductionto the Android OS and forensic legislative guidelines [20], they enumerated the prevai-ling features of cloud computing and how it could preserve a secure background, suitablefor conduction of forensic acquisitions. They concluded that a cloud computing service,Google Cloud Service in that case could satisfy a variety of conditions, such as securityprerequisites, browser-based applications, bigger storage capacity and lack of time andlocation restrictions. At first, the researchers demonstrated the system architecture, wh-ich consisted of an https bridge between the cloud service provider and the workstationsand devices. As soon as investigators downloaded the appropriate forensic software, theywould be able to start data extraction. Acquisition type was not specified, but, judgingfrom the data types the software was able to retrieve and the fact that no rooting tech-niques were mentioned, the procedure resembled to logical acquisition that can apply torooted handsets as well. One interesting and unique feature of the method was actualdate correction, since proper time-stamping is an essential for the validity and integrity offorensic analysis methods. The research would be considered complete as soon as resultsof acquired data would be diffused. A study focusing on comparison between cloud andclassic forensic acquisition will enlighten the effectiveness of the method.

YAFFS and YAFFS2 , the file systems present in devices running the Android OS, arethe most frequently discussed within literature. [35] performed an experimental research,

31

with logical and physical acquisition techniques and tools (adb pull, NANDump, xReco-very and Yaffs2utils) on a rooted Sony Xperia 10i device. Logical acquisition wasn’t ableto acquire the full size of the file system, while physical, as expected, achieved a bitwiseacquisition of the flash memory. Physical acquisition with spare data included followeda different approach, since the researchers needed to rebuild the YAFFS folder structure.Through the hex viewer WinHex, they had been capable of recognizing the retrieved fileheaders and add timestamps to many of them by converting the equivalent hex values.Since many different tools were used, acquisition results had been fulfilling. Quick andAlzaabi claimed that ”NANDump has generated a complete copy of the internal NANDmemory” [35]. Lastly, they proposed the implementation of a tool or method which w-ould be able to directly read and interpret the YAFFS file system elements. Such a utilitywould facilitate forensic investigations. Since Google swapped the file system type toEXT4, such a research would be useful for the older devices, but outdated.

Simao et al. proposed a forensic acquisition framework for the Android OS. The dis-seminated framework had a flowchart form, since there had been many different statesof target devices, such as rooted or not, switched on or off, upon access control or not.Even if the model can be applicable to many scenarios, it is missing some crucial elementsconcerning a real-time investigation. A more enhanced version of the existing model wasintroduced by [33], even though their goal was not the implementation of a framework.The additional information in their proposal concerned acquisition on damaged devicesand fragmented memory page analysis. In order to validate the effectiveness of the mo-del, [40] conducted experiments on phones with different conditions and figured out thatthe proposed schema was applicable. Further research should be conducted so as theframework can be kept up to date with upcoming versions of the Android OS.

Sylve et al. [41] referred to a lack of studies applicable to physical acquisition. Theyhighlighted the importance of it, unlikely to many other researches that bypass the subject.The researchers presented “a methodology for acquiring complete memory captures fromandroid, code to analyze kernel data structures and scripts that allow analysis of a numberof userland and file-system based activities” [41]. Later on the paper, they enumeratedthe existing methodologies on volatile memory analysis for Linux and Android OSs andcompared their tool capabilities. Before proceeding to acquisition, they had to face therooting challenge. They considered it a necessary evil because the code expected to returnthe memory image had to access the device kernel. There had also been an attemptfor memory acquisition with the use of methods destined for the Linux OS. Results ofexperiments proved that Linux oriented techniques were incompatible to the Android OS,since plentiful bugs, such as not existing functions, limited size of offsets supported bythe dd command and insufficient percentage of acquired memory appeared. Moreover,some global issues arose, since not every kind of handset showed identical behavior. Theprimary cause for this incident was the difference among ROM types and kernel modes andis yet to be discussed in future work. Afterwards, they presented the implemented method,DMD. The procedure consisted of the following steps: accessing the iomem resource kernelstructure in order to acquire the beginning and ending point of RAM, converting to virtualmemory and copying the selected segment to a removable storage device or a TCP port.This method prevented from parsing of useless parts of the memory and enabled flawlessexecution of commands, such as dd, cat e.t.c. Additionally, the procedure had been lesstime and resources consuming. Researchers performed a case study of both types ofacquisition on a rooted HTC device. TCP acquisition used adb bridge in order to achieve

32

port forwarding between the device and the workstation. Communication between thetwo sides was established through a socket and a message header containing the memoryrange limits triggered the image acquisition. Memory image was acquired through port4444 and when the procedure completed, DMD terminated the existing connection. Oneof the main differences between TCP and SD card acquisition is the initiate parameterpath in the iomem command. The rest of the procedure was similar to memory dumpingon SD cards in other researches. Last but not least, they proposed new aspects on futureresearch, concerning the Dalvik VM memory analysis, which offers an analysis to the totalandroid applications space.

[46] took research to a different level, facing the challenge of forensic acquisition ondevices protected by a screen lock. Since a bruteforce attack on the device was not a prefe-rable method and may lead to further blockage and inevitable data modification, anothertechnique had to be implemented. Booting with a recovery image could easily bypass anykind of active lock code. After enumerating the criteria for a proper forensic analysis,they proposed an acquisition method based on the use of an acquired recovery image andadb software on the workstation the device is connected to. One of the MTD files presentin the root folder of android devices, mtd3 (recovery mode boot) was significant for theacquisition process of the recovery image. “By booting a device into recovery mode, thenormal boot process is circumvented and the boot target is the bootimg currently loadedin the recovery partition” [46]. After this step, using a modified bootimg for the devicebecame a routine task. The bootimg the writers used consists of existing modified filesused in adb activation, the most useful demons (dd, nand, su, dump) and other transferbinaries. The researchers implemented TCP transfer software and used a hash value forintegrity preservation of the data moving back and forth. Last but not least, they provi-dence for data dumping whether the target device was MTD based (NAND dump) or not(dd command). Unlike many other researches [14, 26, 36], the specific one disapproved ofrooting the target devices, presenting some potential disadvantages of the method. Bootoptions differ between different brands of mobile handsets. As a result, they examinedthree separate case studies; one of which was a Samsung device without MTD partitio-ning. A weak spot of the research is that there were no statistic results of the retrieveddata. However, this can pull the trigger for future experiments and case studies, since thetechnique can be applicable to all kinds of data concerning logical acquisition.

Case studies are experiments adapted to real time conditions. In the field of MobileForensics, where device behavior is unpredictable [12], case studies can contribute tothe creation of a holistic pattern concerning investigations. Racioppo and Murthy [36]presented the case study of physical and logical forensic acquisition to “HTC Incredible”,a device running the Android OS, version 2.3. A small introduction to the features ofthe Android OS was essential for the readers to perceive the whole experiment. Thefirst part of the device to be examined was the removable storage media and since itstructure is relatively identical to the ones used in computers, a computer forensic tool,AccessData FTK Imager version 3.0.1 was used in order to acquire a physical imagecopy. It is notable that the researchers used a write blocker in order to preserve forensicsoundness of the copy. For data integrity purposes, a hash value of the extracted imagewas used. Physical acquisition for the internal memory was a more complicated procedure.No useful data could be extracted if the phone was not rooted, so, even the techniquewouldn’t be admissible upon court, they used a third party program in order to rootit. After gaining access to the root directory, they were able to create a bitwise copy

33

of the seven MTDs present in /dev/mtd folder. The next step concerned analyzing theacquired images of the MTDs by “using the Ubuntu program scalpel, along with AndrewHoog’s scalpel-Android.conf” [14, 36]. After examining the results, they concluded thatphysical acquisition was as effective as described; even unallocated files were retrieved.The fact that some files were corrupt or destroyed was considered a normal side effect ofthe method. Logical acquisition provided access to areas where physical was unable to,such as databases. Every piece of information stored on databases, such as contacts, gpspositions, voicemails etc. had been retrieved. The future challenge the writers imposedwas the ability to root a device without disabling its forensic soundness.

EXT4 became the successor of YAFFS after the release of Android version 2.3. (topaper eksigei kai to giati, mpainei sto intro). Among other features, it is supporting theJournaling File System, which, by keeping a record of actions enables error recovery me-chanisms. During their experiment, [23] used two rooted devices running the Android OSand their research was limited to logical acquisition. Afterwards, they provide a detaileddescription of the file system and its crucial elements, memory block contents and journallog area attributes. Forensic acquisition for the journal log area was summarized in loca-ting the appropriate indicator-block, extracting the following blocks until the metadataone and doing the same until finding a block signifying the end of the sequence. If thehex values of the block and metadata block are not identical, then the technique had metan unallocated file.

4.5 Windows Mobile ForensicsKlaver’s work has been an influence to many future researchers since not only he

introduced rare and revolutionary techniques in the field, but also discussed the mostsignificant parts of the hardware and software related to them. His paper concerned thestudy of physical acquisition mechanisms on smartphones carrying the Windows MobileOS, version 6.0. The most significant attributes of forensic importance were the bootlo-aders and the RAM heap present in most of the Windows Mobile handsets. Bootloadersare the software components responsible for extracting a physical binary image of thememory of the device. Despite the fact that bootloaders exist in smartphones carryingother kinds of OSs, only Klaver gave a detailed description of their utilities and applica-tions in the forensic science. He also mentioned that if a bootloader is prevented frombeing accessed, many problems concerning a potential forensic extraction might occur.Moreover, he argued that the RAM heap is a treasury of unallocated data or data deri-ving from interaction with applications, since most buffers reside there. Just like otherresearchers, he took highly into consideration and tried his research methods to complywith the admissible forensic practices upon court [20] and assumed that a sound investi-gation requires inactive connections and heap alternations on the target handset. Aftercategorizing acquisition methods to logical and physical ones, he came into conclusionthat even though physical acquisition is more effective but dangerous for both the mobilephone and data at the same time. On the other hand, he claimed that logical acquisitioncan become insufficient if access to certain areas of the memory is prohibited and forensicsoundness can become compromised if bypassing modifications are used. He then presen-ted a pseudo-physical acquisition technique, as a mix of characteristics from both typesof acquisitions. The actions set consisted of a bitwise copy of the flash memory imageobtained through ActiveSync. This could be achieved through the use of a “dedicated

34

dll loaded into the system under investigation, thus overwriting RAM and possibly flashmemory” [24]. If this had been a physical acquisition procedure, the outcome would beat flash hardware level. Since this technique has been followed, the produced outcomewould belong to the level of the file system. This attribute prevented unallocated datafrom being retrieved and contributed to the hybrid nature of the method. A presentationof the pseudo-physical acquisition method wouldn’t be complete without an evaluationof the tools designed for the specific purpose. Both of the tools utilized interacted withthe target device in a way that data on it had not been affected. This could be achievedwhether by remote handling or by the use of removable storage media. An interestingapproach was provided when the writer presented the file system reconstruction proce-dure based on memory pages in pseudocode mode. Pseudocode was also used in orderto describe acquisition procedures from files with high forensic importance, such as ce-mail.vol and pim.vol, with the use of proper libraries and dlls. Yet another unique featureprovided, is the use of a Python script, “cedbexplorer.py”, as a potential algorithm inorder to retrieve standalone records within a database. Once a record was retrieved, itwas decompressed; its MD5 hash was calculated and then compared to the MD5 hashfingerprint deriving from xpdumpcedb.exe. Primitive efforts were made in order to un-derstand the way a program had been interacting with the heap and leaving traces on it.Klaver implemented another Python script, “heapdigger.py”, which “searched the heapmarker in an image, decoded the heap headers and subsequent heap items” [24]. Thisresearch served as food for thought for many future ones and methods will have to be upto date with the newer versions of the OS.

A more limited version based on Klaver’s work was proposed by [5] and applied onlyto non-password protected handsets. The writers adopted the same pseudo-physical a-cquisition technique as Klaver and made use of one of the tools he proposed. Difficultiesin retrieving deleted data were taken highly into consideration, without focusing on theacquisition methods related to each kind. Obstacles that may occur are caused due tofailures in reconstructing the file system, as well as the fact that a certain amount ofdevices carrying the Windows Mobile OS replace the content of deleted files with a seque-nce of 0xFF. Similarly to other researchers in the field, they concluded that forensicallyvaluable information can be retrieved from the cemail.vol and pim.vol files. By presen-ting a detailed structure of the cemail.vol file, they emphasize on the importance of thedata provided within it. They also promoted the use of a hex editor in order to retrievehidden deleted data. Another place susceptible for containing important information wasthe system registry, since there could be found “details of the configuration and use ofa device” [5]. Researchers mainly focus on the importance of acquired data during aninvestigation. An interesting aspect was presented in the end of the paper, concerning theremote execution of a piece of code sending data to a third party entity, which observesthe user’s actions. Such a task may not be visible upon the task manager or perceivedby an average user, but it can still run on memory or be detectable by the RAPI toolscommands [24]. [5] propose an implementation of discovering such processes by a programentitled MobileSpy, which had been able to detect this kind of changes, but documenta-tion provided was not satisfying. [5]’s work completes the experimental overview providedin Klaver’s and can be further used for a plethora of examples.

[12] studied data acquisition concerning the applicable forensic techniques on smart-phones running the Windows mobile operating system. The paper does not propose anew method, but makes a comparison between the ones already developed. The lack of

35

a standardization structure within forensic acquisition processes seemed to be the majorchallenge, since they had to create a hypothesis and adapt it to the tools they used fromscratch. The study began with a classification of acquisition methods to physical and lo-gical and a presentation of the tools used during each. The test smartphone was runningthe 6.1 version and wasn’t supplied with an external storage card, since writers claimedthat it was unnecessary, due to previous studies conducted on the subject. The devicesuccumbed to manual, physical and logical acquisition procedures. Before any kind of a-cquisition took place, ActiveSync was enabled. As far as it concerns physical acquisition,the researchers used a pseudo-physical technique, implemented by “Cellebrite’s UniversalForensics Extraction Device Physical Pro edition, version 1.1.3.8” [12]. The same forensicsuite was also used in order to complete the logical examination. Since data extractedfrom physical acquisition techniques were not in human readable format, tools such asforensic toolkits and file carvers were used in order to interpret different kinds of filesfrom the binary image. Apart from commercial file carvers, [24] python script, “cedbex-plorer.py” was used as a different approach to data extraction from database files, suchas cemail.vol. Moreover, string extractors were used in order to extract the content ofallocated files. On the other hand, logical and manual acquisition extractions needed nofurther editing. After completing every kind of acquisition, they implemented a techniquewhere retrieved data and artifacts were tested through MD-5 hash functions and compa-red to the original ones. As a result, retrieved pieces of information were classified to fourcategories, three out of which concerned the relevance between the original and the extra-cted ones, when the fourth was used if the artifacts were neither detected nor supported.Data that had not been fully detected were additionally tested by a fuzzy hash, in orderto measure the similarity to the original ones. As expected, results deriving from thetwo categories of acquisition types were different at a major scale. Unallocated files wereonly retrieved through physical acquisition and the use of WinHex, while it was unableto recover any data relevant to appointments, contacts and call logs, most of which werestored in the embedded databases. Logical acquisition was capable of recovering thosedata types. Various differences were presented even between retrieved files of the samekind. The researchers concluded that, in order to acquire a fulfilling data set concerninga forensic investigation, a set of acquisition methods and tools should be applied. Extraattention has to be paid on the integrity and validity of the tools used.

[39] proposed an agent-based approach for forensic acquisition on Windows Mobiledevices. A unique feature of the specific research was that, apart from a technical frame-work introduction, the writers dedicated a section describing the most significant partsof a real time investigation procedure divided into seven phases: Identification, Seizure,Acquisition, Authentication, Analysis, Presentation and Preservation. They all are ofequal importance to the investigation results, but two of them, acquisition and analysispresent major technical significance. The writers implemented the tool they proposed onthese two phases. Firstly, they made a small scale evaluation of acquisition methods andrecommended physical as the high quality and effective one. Due to limitations concer-ning the division of internal flash memory types to RAM and ROM, they concluded thatphysical acquisition couldn’t be performed in a satisfying scale; logical acquisition on theother hand was the most frequent choice. Meanwhile, they calculated the connectivityrequirements needed for a proper setup, such as USB/Bluetooth bridge from the mobiledevice to a computer and ActiveSync/Windows Mobile Device Center (WMDC) installa-tion on the workstation. Then, they gathered the forensically important data sets, which

36

resided in the file system, databases and registry. The agent the researchers proposed wasan all-in-one tool, combining logical acquisition attributes in order to interact with themost important databases (cemail.vol and pim.vol) and pseudo-physical acquisition traits,such as RAPI tools [5, 24]. There were no innovative features, but a complete solutionother than applying many different techniques at the same time. Finally, they presentedthe tool infrastructure, acquisition results on a test target device and compared it to othercommercial forensic tools. Such a comparison though couldn’t be considered accurate,since some tools didn’t provide simultaneous physical and logical acquisition support.

4.6 Blackberry ForensicsIt is quite obvious that, the bigger market share a brand captures, the more re-

searches concerning it are conducted. Blackberry doesn’t possess a big percentage, but,since it is designed mainly for professional and business use, becomes an object of forensicinterest. Similarly to other kinds of devices, the acquisition procedure is completed by theuse of the official Blackberry Desktop Manager (BDM) via the IPD file generation [38].Apart from other features, BDM also serves as a backup manager, which returns an IPDfile to the user and then ABC Amber BlackBerry Converter interprets it to a readableformat. Sasidharan and Thomas [38] proposed a different approach, oriented to databa-se acquisition with the use of an agent. After exposing the most important rules thatpreserve the legitimacy of the forensic methods (ACPO, n.d.), they compared them totheir method and summarized the deviation between each one. For example, the use ofan agent itself provoked changes to the state of the device, since data were modified.This problem wasn’t only spotted on Blackberry, but on every kind of OS. Blackberrydevices have a unique trait that incommodes forensic acquisition methods. There is nodocumentation or technical design outline provided by the company, so forensic analystsare starting researches from scratch, with great risks. The method the writers proposedwas a type of logical acquisition, since it was a program interacting and extracting thedatabases within the Blackberry file system. It is notable though that they hadn’t men-tioned any acquisition types or classifications. The .cod agent was based on Client-Serverarchitecture and developed in BlackBerry Java Development Environment (JDE). Apartfrom accessing databases, it was capable of creating a communication and data exchangestream between the target device and the computer it was plugged in to. Moreover, thereturned results didn’t need the converter in order to be decoded. Data integrity was pre-served by the use of MD5 hash functions for the retrieved data. The next step consistedof analyzing the extracted data with Blackberry Acquisition and Analysis Tool (BAAT)that they implemented in order to propose a complete technique. BAAT extracted acqui-red data concerning the target device on .html format. The main challenge they faceddoesn’t differ from the ones of other researchers and concerns the means a mobile devicecan comply to the existing standards of no modification after seizing a device.

4.7 Maemo ForensicsLohrum studied forensic acquisition from the Nokia N900 smartphone running the

Maemo OS. Maemo isn’t a widespread OS. Hence, forensic studies on the field are limitedto few resources only, but physical and logical (mentioned as triage) acquisition methodsare present as well. He then made an introduction to the technical details of the MaemoOS, focusing on its Linux basis. Features present on the phone that were considered

37

innovative by the time it was released in the market were the unix terminal, VoIP com-munication and game consoles emulators. Since there is poor documentation concerningforensic acquisition in Maemo devices, the writer’s first goal was to find the places dataof major importance were residing in. The procedure he followed didn’t deviate muchfrom methodologies used for other types of smartphones. It consisted of the followingsteps: manually entering data and interacting with the device, acquiring a bitwise physi-cal copy of the phone memory image, decoding them via a forensic tool, comparing thedata to the original ones and finally “performing a limited triage extraction onto a mi-croSD card” [27]. Before proceeding to the physical acquisition, the researcher eliminatedpossible interactions of the phone with every potential network connection. In order tocomplete the physical acquisition procedure successfully by the use of the dd command,he had to root the target device. A unique feature of the acquisition process was thatthe image was transmitted to the workstation computer by an SSH bus. Another traitof the specific handset that could facilitate forensic research was the fact that user data,operating system and swap space were situated in different partitions. This way, rootingcould affect only one of them, enabling forensic soundness perseverance to the not affe-cted ones. After locating the most important data within the file system, he conducteda logical acquisition by an automated script, N900TriageExtraction.sh, which containedcopying commands. In the end of the acquisition, the script was deleted.

4.8 Multiple OSs Forensic Studies

[47] holds the credits for primary forensic research, while the field of SSDF was-n’t fully formed. His study consisted of the main characteristics of the most prevailingoperating systems for mobile devices and how they can be utilized in potential forensicinvestigations. Later on the research, he exposed the unique features of mobile devicesthat make the forensics discipline referring to then more complicated than the one co-ncerning computers. In the end, he presented some commonly used forensic suites andtools as a point of reference.

[32] focused on performing a forensic examination of mobile devices equipped withthe most popular OSs, iOS (iPhone 4), Android (v. 2.3.3) and Blackberry (v. 6.0). Moreprecisely, Facebook, Twitter and MySpace mobile versions of applications were installed,and used in order to provide a satisfying amount of information to be retrieved. Afterconducting a logical acquisition on the devices, they performed a manual analysis on e-ach logical image. The extraction and analysis procedure was fully certified, since theyconsulted the guidelines provided by NIST [20]. Investigation procedure would be moreaccurate if browser data were taken into consideration as well, since many users preferlogging in to social networks from a plain browser tab than the application itself. The-refore there was no data loss, because the investigation was originally restricted to useof applications only. Blackberry Desktop Software (BDS) was used in order to performlogical acquisition in the test-subject Blackberry phones, with sync option turned off.Official backup software prevents from changes taking place to crucial elements of the lo-gical image. Thus, this method is acceptable on court [1,20]. A logical copy was acquired,but no traces of data deriving from social networking applications were found. Since thisoperation failed, further research should be conducted on the subject. Even the papercontributors claim Zdziarski’s method [15, 49] to be the best and most accurate iPhoneforensics technique, while investigation is limited to the use of iTunes backup utility, with

38

the automatic sync feature powered off. This decision poses the dilemma of: “to jailbreakor not to jailbreak”. Nevertheless, data acquisition was successful, since a great amountof social networking interaction data could be retrieved from all the applications tested.This kind of information includes: Facebook user and friend data, friends with activechat sessions, timestamps, comments posted, all previously logged in users; Twitter user-names, profile pictures and tweets; Myspace credentials, posts and timestamps. Androidexamination seems to be the most disputable category, since acquiring data from a devicethat isn’t rooted eliminates the quantity and quality of useful information to be gathe-red, while rooting a device makes significant changes to the potential admissible evidenceupon court. The option of rooting a device has been chosen, aiming to effectiveness. Astandalone application, MyBackup was used in order to extract the logical backup to anexternal SD card. Analysis of the logical image returned usernames, pictures uploadedand viewed, chat messages and created albums from Facebook; usernames, tweets anddevice info for Twitter and usernames, passwords, cached files and cookies for MySpace.Although the results from the examination procedure were satisfying enough for two outof the three OS platforms tested, it is hard to reach certain conclusions. There is a needfor use of different techniques and approaches, enhanced by the use of different forensicstools, since they all have altering specifications in various data types. Further researchshould be conducted in order to produce statistics that will lead to strengthening anyweak points showing up.

Even minor research methods can contribute some interesting info to the field, evenif they don’t propose something innovative or different than the existing ones. Researchand experiments conducted by [7] belong to that specific category. They studied logicalacquisition techniques from two target devices, running the Android OS version 2.1 andthe Windows Mobile version 6.1 one. Research was strictly limited to certain types ofacquisition and data types. The writers proceeded to logical acquisition with the use ofofficial backup and sync suites for each phone. ActiveSync was used for the WindowsMobile one, while Kies for the Android device. ActiveSync is considered a global backingup suite for Windows Mobile handsets; Android devices on the other hand, apart fromfew exceptions such as the Samsung mobile phones don’t have a specific backing up suitebaseline. This last fact imposes many questions concerning the different interaction ofAndroid devices to that type of data extraction and creates more experimental needs.Since the retrieval procedure only consisted of interaction with official product software,there was no need for interfering with security locks or other trespassing methods, suchas rooting. This approach though is not applicable to a real scenario, since the amountof data to be acquired will be relatively smaller compared to the one demanded in orderto fulfill the needs of an investigation. The data types the writers aspired to extract werealso limited to user edited ones, such as images, SMS and contacts. One severe factor thatwas not taken into consideration or wasn’t intentionally documented was the isolation ofthe devices from any kind of networking source. The only potential precaution for bothdevices was that they had to be switched on during the acquisition procedure. Officialbackup suites had the ability to restore deleted files, but there was no further informationprovided about the quantity or quality of them. Lack of metrics concerning data integrityand availability was also spotted in the results concerning the allocated data acquisition,since the writers had just claimed that some files were impossible to be read. A limitedscale research can provide useful information; since the research field is small, such kindof studies have to be supported by a bunch of experimental data that can be enough in

39

order to create detailed metrics and statistics.The great majority of field studies step on existing methods in order to evolve or even

disapprove them. Fewer, on the other hand research elements of mobile devices and howthey can become useful to development of new theories. [33] discussed a method of forensicanalysis from fragmented memory pages, when “the reconstruction of the file system isimpossible” [33]. Their first goal was to explain the basic characteristics of memory typesof smart phones and the mechanisms they use for balancing deletion actions alongsidethe memory in order to augment the estimated life span of the device. Afterwards, theyclarified that data acquisition can be partially easy, since they are only deleted on blocklevel. They then proposed a process model concerning forensic analysis, in which theyintroduced the flash memory page analysis that can occur whether reconstruction of thefile system is impossible or for not allocated areas in the file system. The model flowchartcan be considered an extended version of the one demonstrated by [40]. By the timethe research was undertaken, the process model was applicable only to Android and iOSmobile phones. One of the exciting and rare features of the process model was thatit concerned a real-time investigation scenario and not separate acquisition techniques.The memory analysis method consisted of four scalable steps, which serve in reducingthe estimated size of the memory to be examined. Duplicate entries, metadata andforms of certain data outlined by their size are excluded from the examination. Thelast step concerns the remaining data classification, according to their format. Datathat have been through compression, such as audio, video and documents were entitledafter random and their acquisition is considered a difficult task, due to their size andconsequently their fragmentation level. This can be easily explained, since the bigger afile is, the more scattered it can be through memory blocks. On the other hand, non-random data are smaller in size, such as Web pages, SQLite databases and text data.Both categories need specialized tools in order to be retrieved and completely restored.For proper documentation, they also conducted two case studies in two mobile devices,supporting the YAFFS and the EXT4 file system. The method proposed is still in aprimitive phase of development and many features need to be added in order to providefull functionality, such as simultaneous support of two file types on one memory page.

40

Kef�laio 5

Timeline

Figure 5.1 represents a timeline of literature concerning the field of mobile forensics.Researches prior to 2006 are not included, since technology was considered outdated enou-gh and beyond the scope of this review. The horizontal axis in the bottom of the figurerepresents the presence, absence or coexistence of low-level modification techniques. Dif-ferent kinds of shapes refer to OS types. Terminology provided is following the MicrosoftVisio 2013 standards. Square is related to iOS, circle to Android, pentagon to Symbian,hexagon to Windows Mobile, heptagon to Maemo, diamond to Blackberry, seven-pointstar to simultaneous analysis of multiple OSs and rounded rectangle to theoretical ba-ckground and standardization. Shapes are placed within the diagram according to theirchronological order. Numbers inside them correspond to the entry number in the Refere-nces table, while letters to the acquisition type presented. Choice of letters is as close tothe first letter of each acquisition type as possible. P stands for Physical Acquisition, Lfor Logical Acquisition, A for all acquisition types, while N shows that no techniques werementioned. Texture fill is related to the data types each research paper examined. Largegrid implies all data types, dark vertical (vertical lines) refer to the user data category,dark horizontal (horizontal lines) to user and application data, dark downward diagonal toOS and application data and a lack of texture indicates absence of data types. Solid linesbetween two shapes imply influence, while dashed ones imply compliance or reference totheory and regulations. On the other hand, dash dot dot texture represents an implicitreference, i.e. similar points of view that don’t refer directly to each other.

41

Sq ma 5.1: Major smartphones’ forensics approaches in chronological order. The ar-rows indicate interrelation between proposals ((i.e., [b] has been influencedby [a])

42

Kef�laio 6

Discussion

Mobile forensics is a relatively new discipline. The first guidelines and studies, pu-blished around 2007 were major contributions to the field, since many future researcheswere triggered by them. An excessive growth in the number of publications was noticedin 2011 and 2012. Such an outcome is expected, since use of smartphones had becomepretty widespread and the same had occurred to their involvement into crimes. Almosthalf of the research papers examined (17 out of 35) concerned devices without any low-level modification (root, jailbreak or capability hack). This occurred due to the need foran original image of the state of the device from the proposed guidelines [1, 20]. Themajority of researches shown in Figure 7 that belong to the non-modified category havebeen influenced by the guidelines. Appearance frequency of studies concerning low-levelmodified devices is rising during the last two years. That fact implies the necessity forre-examination of the theoretical background concerning the austerity of admissibilitymethods, since investigations upon non-modified handsets is resulting to a smaller quan-tity of acquired evidence. Claims mentioned above can also be verified from the fact thatrecent studies are concerned but not restricted to existing guidelines. This incident showsan escape tendency. Apart from the theoretical background, assumptions extracted maytrigger new research interests towards design and implementation of different hardwarearchitecture for mobile devices, so they can become more forensic-tolerant. The morea mobile OS gets popular, the bigger the amount of researches referring to it becomes.For instance, from 2009 to 2011, the number of papers concerning Android forensics wasmultiplied by three. Nevertheless, research should not halt for OS types that have beenoutdated, since they can still contribute a lot to investigations and newer techniques canbe effective on older devices and file systems as well. Twenty-five out of thirty five papersincluded research for all the data types mentioned in the introduction. This result signi-fies that everything is relatively important in an investigation and can serve as possibleevidence. There is no disregard to any data type. Therefore, user data are the most hi-ghly appreciated, since they are the most important piece of evidence. As a result, almostevery research is taking them into consideration. Another data combination appearingfrequently was user and application data. It mostly occurred in studies concerning socialnetworking or Instant Messaging (IM) applications, when a combination of both datatypes was inevitable.

43

6.1 Towards a common framework

Lack of standardization is a major issue in the field of mobile forensics [21,26]. Rapidchanges in technology, variations and gaps among different kinds of mobile handsets andOSs are making the procedure of creating a common framework or standardization modela pretty hard task for the researchers. Nevertheless, a great many of similar attributesare pointing to that direction. The argument can be validated through the admissionof the fact that there are many common patterns among acquisition methods and toolsdesigned for each case. Client- Server based models in forensic tools implementationis one of the attributes, both present in Blackberry and Windows Mobile devices [38].Similar adaptation schemas can be present on completely different researches. One ofthe most vivid examples was the use of approximately the same flowchart concerningacquisition techniques on Android and iOS devices, while there was no direct influence[33,40]. Such researches can set the base of a generally acceptable model.Moreover, manylogical acquisition oriented researches use backup and synchronization suites. InformationSystems Analysis Methodology can be applied so as scientists to be able to develop amulti-leveled Mobile Forensics Framework, where the lower (zero) level would consistof common, general conceptions, and the higher level ones would concern the differentattributes and actions performed. The “Forensic Spiral” [21] was an early official attemptfor general standardization, concerning forensic tools deployment. The backbone of themodel was based on the fact that technology is shape-shifting quickly; so a potentialforensic tool should be able to comply with changes, but not be distributed until beingofficially validated. Modification of the device state at the moment of seizing is anotherissue to be resolved and has a common extent to every kind of device.

44

Kef�laio 7

Conclusions Outline

Almost every research concludes or implies that a forensic investigation is completewhen every possible acquisition method is applied. Even though at least three differentphysical acquisition methods have been spotted, the most widespread is the use of (ada-pted) bootloaders, no matter the OS of the target device. This happens not only becauseit is considerably the safest method out of the others but because it is simultaneously costeffective and providing satisfying results. Although researchers found a less painful way ofcompleting physical acquisition procedures, diffuse of data and documentation is still poorconcerning the other kinds. When a real-time incident takes place, forensic analysts willbe unable to have the amount of information needed in order to perform the other tasksof physical acquisition. Even if experiments in a big scale concerning JTAG and chip-offtechniques may be less affordable, they still have to be conducted. The great majority ofexperiments is conducted on specific brands of mobile devices. Nokia (Symbian), HTC(Android) and Samsung (Android) were the devices that appeared the most frequentlyin case studies. It is generally accepted though, that even devices that run the same OSpresent different behavior. As a result, brand diversity is another factor that needs to betaken into consideration. Many researches rely solely on commercial forensic tools, takingadvantage of their ease-of-used compared to raw acquisition techniques. Even though thisapproach can be less time-consuming, results may present a significant loss of evidence.

45

Kef�laio 8

Challenges and Food for thought

Newer versions of mobile OSs are equipped either with security mechanisms that arehard to bypass, such as Symbian versions after 9.0, or preserve data integrity with encry-ption methods to avoid possible compromising, such as iOS 4.x. These facts impose thechallenge of adapting the existing methods to the new standards. Additionally, effectiveacquisition methods applied in the past have to be revised, evaluated from scratch andmodified (if possible), so as to comply with the new technology attributes. Hash functionsare used in order to preserve the integrity of the acquired data sets. If the fingerprint ofthe retrieved file or instance is the same as the original, then acquisition procedure wascompleted successfully. On the other hand, hash functions may have collisions, which canbe used as exploits. An intentionally modified acquired file or instance can bypass hashingcontrol and then be able to obfuscate an investigation procedure, by altering, deleting ormodifying existing data on the device. Since newer researches show escape tendenciesfrom the theoretical background that is demanding a total absence of altering the devicesstate after seizure, whether OS architecture or low-level modification culture should berevisited. A total recall concerning hardware is a difficult and high-cost procedure; it alsowill not provide any kind of solution for older devices. On the contrary, enabling rootingprivileges ever since a device is released and implementing a software-based solution inorder to preserve security and prevent from misuse is a more decent solution, which canalso be applied to older devices by a software or firmware upgrade. Last but not least,a research timeline has to be updating over the years, in order to preserve the ability ofobserving the trends within the field. This will provide researchers with quicker and moreeffective decision making processes.

46

BibliografÐa

[1] ACPO: Good Practice Guide for Computer-Based Electronic Evidence Ver. 4,2007. http://7safe.com/electronic_evidence/ACPO_guidelines_computer_

evidence_v4_web.pdf.

[2] Bader, Mona and Ibrahim Baggili: iphone 3gs forensics: Logical analysis using appleitunes backup utility. Small Scale Digital Device Forensics Journal, 4(1):1–15, 2010.

[3] Becker, Alexander, Andreas Mladenow, Natalia Kryvinska, and Christine Strauss:Aggregated survey of sustainable business models for agile mobile service deliveryplatforms. Journal of Service Science Research, 4:97–121, 2012, ISSN 2093-0720.

[4] Casey, Eoghan: Digital Evidence and Computer Crime: Forensic Science, Comput-ers, and the Internet. Academic Press, 2011.

[5] Casey, Eoghan, Michael Bann, and John Doyle: Introduction to windows mobileforensics. Digital Investigation, 6, Embedded Systems Forensics: Smart Phones,GPS Devices, and Gaming Consoles:136–146, 2010.

[6] Chavez, A.: A jailbroken iphone can be a very powerfull weapon in the hands of anattacker. Technical report, Purdue University, Calumet s CIT Department, 2008.

[7] Chun, Woo Sung and Dea Woo Park: A study on the forensic data extraction methodfor sms, photo and mobile image of google android and windows mobile smart phone.In Convergence and Hybrid Information Technology, volume 310 of CCIS, pages 654–663. Springer Berlin Heidelberg, 2012.

[8] Damopoulos, D., G. Kambourakis, M. Anagnostopoulos, S. Gritzalis, and J.H. Park:User privacy and modern mobile services: are they on the same path? Personal andUbiquitous Computing, (Online First):1–12, 2012.

[9] Damopoulos, Dimitrios, Georgios Kambourakis, and Stefanos Gritzalis: iSAM: Aniphone stealth airborne malware. In Proceedings of the 26th IFIP TC-11 InternationalInformation Security Conference, IFIP Advances in Information and CommunicationTechnology - IFIP AICT, pages 17–28. Springer, 2011.

[10] Damopoulos, Dimitrios, Georgios Kambourakis, and Stefanos Gritzalis: From key-loggers to touchloggers: Take the rough with the smooth. Computers & Security,32:102–114, 2013.

[11] Distefano, Alessandro and Gianluigi Me: An overall assessment of mobile internalacquisition tool. Digital Investigation, 5, Supplement:S121–S127, 2008.

47

[12] Grispos, George, Tim Storer, and William Bradley Glisson: A comparison of forensicevidence recovery techniques for a windows mobile smart phone. Digital Investigation,8(1):23–36, 2011.

[13] Harrill and Mislan: A small scale digital device forensics ontology, 2007. http://

www.ssddfj.org/papers/ssddfj_v1_1_harrill_mislan.pdf.

[14] Hoog, Andrew: Chapter 6 - android forensic techniques. In Android Forensics, pages195–284. Syngress, Boston, 2011.

[15] Hoog, Andrew and Kyle Gaffaney: iphone forensics, 2009. http://www.

mandarino70.it/Documents/iPhone-Forensics-2009.pdf.

[16] Husain, Mohammad Iftekhar, Ibrahim Baggili, and Ramalingam Sridhar: A simplecost-effective framework for iphone forensic analysis. In Digital Forensics and CyberCrime, volume 53 of LNICST, pages 27–37. Springer Berlin Heidelberg, 2011.

[17] ISO/IEC: Guidelines for identification, collection, acquisition, and preservationof digital evidence, ISO/IEC 27037:2012, First Edition, 2012. http://www.

iso27001security.com/html/27037.html.

[18] Jansen, Wayne and Rick Ayers: Guidelines on pda forensics, November 2004. http://csrc.nist.gov/publications/nistpubs/800-72/sp800-72.pdf.

[19] Jansen, Wayne and Rick Ayers: Pda forensic tools: An overview andanalysis, August 2004. http://csrc.nist.gov/publications/nistir/

nistir-7100-PDAForensics.pdf.

[20] Jansen, Wayne and Rick Ayers: Guidelines on cell phone forensics, 2007. http:

//csrc.nist.gov/publications/nistpubs/800-101/SP800-101.pdf.

[21] Jansen, Wayne and Aurelien Delaitre: Mobile forensic reference materials: Amethodology and reification, October 2009. http://csrc.nist.gov/publications/nistir/ir7617/nistir-7617.pdf.

[22] Jung, Jinhyung, Chorong Jeong, Keunduk Byun, and Sangjin Lee: Sensitive privacydata acquisition in the iphone for digital forensic analysis. In Secure and TrustComputing, Data Management and Applications, volume 186 of CCIS, pages 172–186. Springer Berlin Heidelberg, 2011.

[23] Kim, Dohyun, Jungheum Park, Keun gi Lee, and Sangjin Lee: Forensic analysis ofandroid phone using ext4 file system journal log. In J. (Jong Hyuk) Park, James,Victor C.M. Leung, Cho Li Wang, and Taeshik Shon (editors): Future InformationTechnology, Application, and Service, volume 164 of LNEE, pages 435–446. SpringerNetherlands, 2012.

[24] Klaver, C.: Windows mobile advanced forensics. Digital Investigation, 6, EmbeddedSystems Forensics: Smart Phones, GPS Devices, and Gaming Consoles(3-4):147–167,2010.

48

[25] Lai, Yenting, Chunghuang Yang, Chihhung Lin, and TaeNam Ahn: Design and imple-mentation of mobile forensic tool for android smart phone through cloud computing.In Lee, Geuk, Daniel Howard, and Dominik Slezak (editors): Convergence and Hy-brid Information Technology, volume 206 of CCIS, pages 196–203. Springer BerlinHeidelberg, 2011.

[26] Lessard, Jeff and Gary C. Kessler: Android forensics: Simplifying cell phone exami-nations, 2009. http://www.ssddfj.org/papers/SSDDFJ_V4_1_Lessard_Kessler.

pdf.

[27] Lohrum, Mark: Forensic extractions of data from the nokia n900. In Gladyshev,Pavel and MarcusK. Rogers (editors): Digital Forensics and Cyber Crime, volume 88of LNICST, pages 89–103. Springer Berlin Heidelberg, 2012.

[28] Maus, Stefan, Hans Hofken, and Marko Schuba: Forensic analysis of geo-data in android smartphones, 2011. http://www.schuba.fh-aachen.de/papers/

11-cyberforensics.pdf.

[29] Mokhonoana, Pontjho M and Martin S Olivier: Acquisition of a symbian smartphone’s content with an on-phone forensic tool. In Southern African Telecommu-nication Networks and Applications Conference 2007 (SATNAC 2007) Proceedings,2007.

[30] Morris, B.: Symbian OS Architecture Sourcebook. John Wiley & Sons, 2006.

[31] Morrissey, Sean: iOS Forensic Analysis: for iPhone, iPad, and iPod touch. Apress,Berkely, CA, USA, 1st edition, 2010.

[32] Mutawa, Noora Al, Ibrahim Baggili, and Andrew Marrington: Forensic analy-sis of social networking applications on mobile devices. Digital Investigation, 9,Supplement(0):S24–S33, 2012.

[33] Park, Jungheum, Hyunji Chung, and Sangjin Lee: Forensic analysis techniques forfragmented flash memory pages in smartphones. Digital Investigation, 9(2):109–118,2012.

[34] Pooters, Ivo: Full user data acquisition from symbian smart phones. Digital Investi-gation, 6, Embedded Systems Forensics: Smart Phones, GPS Devices, and GamingConsoles(3-4):125–135, 2010.

[35] Quick, Darren and Mohammed Alzaabi: Forensic analysis of the android file systemyaffs2. In Proceedings of the 9th Australian Digital Forensics Conference, EdithCowan University, Perth Western Australia, 2011.

[36] Racioppo, C. and N. Murthy: Android forensics: A case study of the htc incrediblephone, 2012. http://csis.pace.edu/~ctappert/srd2012/b6.pdf.

[37] Rehault, Frederick: Windows mobile advanced forensics: An alternative to existingtools. Digital Investigation, 7:38–47, 2010.

49

[38] Sasidharan, SatheeshKumar and K.L. Thomas: Blackberry forensics: An agent basedapproach for database acquisition. In Abraham, Ajith, Jaime Lloret Mauri, JohnF.Buford, Junichi Suzuki, and SabuM. Thampi (editors): Advances in Computing andCommunications, volume 190 of CCIS, pages 552–561. Springer Berlin Heidelberg,2011.

[39] Satheesh Kumar, S., Bibin Thomas, and K.L. Thomas: An agent based tool for win-dows mobile forensics. In Gladyshev, Pavel and MarcusK. Rogers (editors): DigitalForensics and Cyber Crime, volume 88 of LNICST, pages 77–88. Springer BerlinHeidelberg, 2012.

[40] Simao, Andre, Fabio Sicoli, Laerte Melo, Flavio Deus, and Junior Rafael Sousa: Ac-quisition and analysis of digital evidence in android smartphones. The InternationalJournal of Forensic Computer Science, 6(1):28–43, 2011.

[41] Sylve, Joe, Andrew Case, Lodovico Marziale, and Golden G. Richard: Acquisitionand analysis of volatile memory from android devices. Digital Investigation, 8(3-4):175–184, 2012.

[42] Team HelloOx: HelloOx, 2013. http://www.helloox2.com.

[43] Thing, VrizlynnL.L. and Tong Wei Chua: Symbian smartphone forensics: Linearbitwise data acquisition and fragmentation analysis. In Computer Applications forSecurity, Control and System Engineering, CCIS, pages 62–69. Springer Berlin Hei-delberg, 2012.

[44] Thing, VrizlynnL.L. and DarellJ.J. Tan: Symbian smartphone forensics and security:Recovery of privacy-protected deleted data. In Information and Communications Se-curity, volume 7618 of LNCS, pages 240–251. Springer Berlin Heidelberg, 2012.

[45] Tso, Yu Cheng, Shiuh Jeng Wang, Cheng Ta Huang, and Wei Jen Wang: iphonesocial networking for evidence investigations using itunes forensics. In Proceedings ofthe 6th International Conference on Ubiquitous Information Management and Com-munication, ICUIMC ’12, pages 1–7. ACM. Article 62, 2012.

[46] Vidas, Timothy, Chengye Zhang, and Nicolas Christin: Toward a general collectionmethodology for android devices. Digital Investigation, 8:S14–S24, 2011.

[47] Yates, Maynard: Practical investigations of digital forensics tools for mobile devices.In 2010 Information Security Curriculum Development Conference, InfoSecCD ’10,pages 156–162, New York, NY, USA, 2010. ACM.

[48] Yu, Xian, Lie Hui Jiang, Hui Shu, Qing Yin, and Tie Ming Liu: A process modelfor forensic analysis of symbian smart phones. In Advances in Software Engineering,volume 59 of CCIS, pages 86–93. Springer Berlin Heidelberg, 2009.

[49] Zdziarski, Johnathan: iPhone Forensics. Recovering Evidence, Personal Data, andCorporate Assets. O’Reilly Media, 2008.

50

[50] Zimmermann, Christian, Michael Spreitzenbarth, Sven Schmitt, and Felix C. Freiling:Forensic analysis of yaffs2. In Suri, Neeraj and Michael Waidner (editors): Sicherheit2012: Sicherheit, Schutz und Zuverlassigkeit, volume 195 of LNI, pages 59–69. GI,2012.

51

Kat�logoc Sqhm�twn

3.1 Mobile OS Market Share . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143.2 Android Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.3 iOS Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.4 Blackberry Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.5 Windows Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183.6 Maemo Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

5.1 Major smartphones’ forensics approaches in chronological order. The arro-ws indicate interrelation between proposals ((i.e., [b] has been influencedby [a]) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

A.1 Major smartphone forensics approaches in chronological order. The arrowsindicate interrelation between proposals ((i.e., [b] has been influenced by [a]) 28

52

Par�rthma Aþ

In the context of this thesis we wrote the following article which has been submittedto the “Digital Evidence” electronic journal.

A critical review of 7 years of Mobile DeviceForensics

Konstantia Barmpatsalou1,Dimitrios Damopoulos1, Georgios Kambourakis1, VasilisKatos2

1Department of Information and Communication Systems Engineering, University of theAegean

2Department of Electrical and Computer Engineering, Democritus University of Thrace,University Campus, Kimmeria, Xanthi,Greece

53

Abstract

Mobile Device Forensics (MF) is an interdisciplinary field consisting of techniquesapplied to a large variation of handheld device types. Over the last few years, a signifi-cant number of works have been conducted, concerning various mobile device platforms,data acquisition schemes and retrieve data methods. This work aims to provide a com-prehensive overview of the field, by presenting a detailed overview of the actions andmethodologies taken throughout the last seven years. A multilevel chronological catego-rization of the most significant studies is given, in order to provide a quick but completeway of observing the trends within the field. This also serves as an analytic progressreport, with regards to the evolution of MF. Moreover, since standardization efforts inthis area are still in their infancy, the research at hand aspires to set the foundationstowards a common framework proposal. Of course, technology concerning mobile devicesis evolving rapidly and thus disciplines in the MF ecosystem will succumb to changesfrequently. Thus, a rigorous and critical review of the state-of-the-art will serve to quickand effective reference and adaptation.

Keywords: Mobile Device Forensics; Smartphone; Security;

A.1 Introduction

Internet and Information Technology (IT) are no longer a novelty, but a necessity inalmost every aspect concerning people’s lives, extending to a great variety of purposes,from business, education and public health to entertainment, commerce and even more.Models and behavioral patterns succumbed to changes in order to adapt to the newconditions. It is thus inevitable that delinquent actions and patterns are expected tofollow the same direction concerning their evolution and differentiation. Cybercrime andeven involvement of IT infrastructures in lesser or major criminal activities lead to forminga new discipline, namely Digital Forensics (DF), equivalent to classical forensics where“evidence analysis takes place using data extracted from any kind of digital electronicdevice” [13]. A digital device can participate in a crime by different means. “It can be aninstrument of a crime, a target of a crime or a storage of evidence” [29]. Due to differentattributes among types of digital devices, there have been multiple forensic disciplinesconcerning each one of them. Thus, DF is divided to the following categories: ComputerForensics, Network Forensics, Small Scale Device Forensics or Mobile Device Forensics,Forensic Audio and Forensic Video [4].

Technology concerning mobile devices has presented revolutionary growth during thelast decade. Mobile phones, enhanced with hardware and software capabilities didn’tonly serve as a means of communication, but also as small-scale portable computers withadvanced communication capabilities. For instance, smartphones are able to store a richset of personal information and at the same time provide powerful services, e.g. location-based services, Internet sharing via tethering, and intelligent voice assistants to namejust a few. In addition to the traditional cyber attacks and malware threats that plaguelegacy computers, smartphones now represent a promising target for malware developersthat struggle to expose users’ sensitive data, compromise the device or manipulate popularservices [8–10]. Additionally, while the number of stolen or lost smartphones has increasedrapidly over the last few years, some of these devices may be used as stepping stones [6] tospoof the real identity of the attacker or to take advantage of the stored sensitive personalinformation.

According to [20], MF is the science of recovering digital evidence from a mobile phoneunder forensically sound conditions using accepted methods.It is therefore without a doubtthat since the use of small portable devices has become widespread, the probability of amobile device being involved in a criminal action is growing significantly bigger.

The field of MF is challenging by default, due to the fact that smartphones havelimited processing and memory resources, different CPU architecture and a variety ofwell-tight Operating System (OS) versions compared to those of a personal computer,making the forensics a complex task. As an example, quicker power consumption inmobile devices is a factor to be taken into consideration. The battery resources of ahandheld device vanish rapidly and investigators need to predict about being equippedwith the appropriate charging cables. Also, technology is evolving in a quicker scale whenit comes to mobile devices. While some methods may be effective for a certain deviceor OS version, they may be useless for its successor(s). The variety of models and OSscan also raise a barrier concerning usage training. Investigators charged with the taskof interacting with the devices have to be advanced users, in order to avoid the case ofhuman-driven errors. On the other hand, the amount of acquired data from small-scaledevices may be considerably smaller than the one retrieved from personal computers [47].

1

According to [39], the important processes involved in a cyber crime investigation areevidence identification, seizure, acquisition, authentication, analysis, presentation andpreservation. Additionally, [26] mentioned that, one of the major difficulties in the fieldof MF is the general lack of hardware, software and/or interface standardization withinthe industry. This fact makes forensic examination a hard task, especially for unifiedresearch.

Dealing with MF from the very beginning of their existence would be a time-consumingand outdated procedure, since literature related to them is scarce and older generationdevices are not used anymore. The complexities of smartphones functionality, in additionto the fact that more and more users obtain such devices led to the decision to limit thisresearch solely to the smartphones area.

Based on these facts, we review and categorize based on several factors the main mile-stones, methodologies and significant studies for MF aiming to provide a comprehensiveview of the state-of-the-art, by performing an in-depth study of the field.

Our Contribution: This work aims to provide an adequate overview of the field of MF,by reviewing and presenting a detailed overview of the actions and methodologies takenthroughout the last 7 years. A schematic timeline of the most significant studies so faris given, in order to provide a quick but complete way of observing the milestones andtrends within the field. By doing so we offer an analytical progress report, concerningthe evolution of MF. Since standardization activities in the area are quite far from beingmature, our work can contribute towards the shaping of a common framework. Technologyconcerning mobile devices is evolving in a rapid scale and disciplines will succumb tochanges frequently. A strong fundamental infrastructure though will serve to quick andeffective adaptation. As a result, newcomers or even experts of the field will be able tohave a compact image of the state-of-the-art. Also, with this work, we expose existingproblems in the field of MF and hope to motivate further research in the area.

Although some studies throughout literature [5, 12, 15, 39, 47] have cross–evaluatedcommercial forensic suites for extracting conclusions about the retrived data, to the bestof our knowledge, this is the first work that goes some steps further than just reviewingimplementations and experimental efforts in the field. Therefore due to the fact that thedevelopment of commercial forensic tools is based on elements of the main acquisitionmethodologies (addressed in this paper), works focusing on commercial MF suites areout-of-scope of this work, and thus have been intentionally neglected.

The rest of this work is structured as follows. Section A.2 enumerates, classifies andanalyzes the criteria that will be used throughout this work, providing this way the neces-sary background knowledge. Section A.3 surveys the state-of-the-art in the field. SectionA.4 elaborates on the research work done so far contributing a complete categorization ofthe major MF approaches. The last section draws a conclusion.

A.2 PreliminariesThe three main categories concerning smartphones in the context of MF are related tothe prevailing differences amongst device characteristics. They are split into three maincategories: Evidence acquisition methods, Operating Systems, and Acquired Data Types.

A.2.1 Acquisition Methods

Forensic acquisition from devices is divided into three categories: manual, logical andphysical. Each one uses different attributes of the device for extracting the wished amount

2

of data. Manual acquisition is summarized to whatever an individual is capable of ac-quiring by interacting with the device itself. This procedure may consist of two separatephases: keeping a log of the actions taken [12] and interacting with installed applicationsto copy the existing data [29]. Additional means, such as cameras can be used in order torecord the device state [12]. Since the probability of human error is very high and crucialelements can be bypassed, this method should be used as supplementary. Due to thefact that manual acquisition is the only technique returning data in human interpretableformat, it is necessary to take place simultaneously with the other two kinds. As a result,it will not be examined as a separate category, but will be integrated in to the other two.

Logical acquisition mainly concerns data that has not been deleted and is achievedby accessing the file system of the device [14]. Data that has already been deleted areless likely to be acquired, but not impossible. Logical acquisition techniques and toolsinteract with the file system whereas physical acquisition ones access lower areas. Thisobservation stands behind different behavior towards certain kinds of files. “Sometimeslogical acquisition is not possible, for instance when the device is broken beyond repair, orwhen the device does not have a standard interface to do the logical acquisition over” [24].

On the other hand, physical acquisition is solely related to the physical storage medium.Such a technique is also mentioned as a bitwise copy of the internal flash memory[12, 35, 43]. This kind of acquisition is more possible to retrieve deleted data [16], sincethey are just considered not allocated, but continue existing. Nevertheless, physical ac-quisition is a procedure which will more likely lead to destruction of the device due tohuman mistakes, so its use is limited to occasions when it is considered the last resort.According to [24] “True physical acquisition can either mean physically removing memoryfrom the device, using hardware techniques like JTAG to extract data from the deviceor use an (adapted) bootloader to gain low level access to the device”. These kind oftechniques “are not only technically challenging and require partial to full disassemblyof the device, but they require substantial post-extraction analysis to reassemble the filesystem [14]. Nevertheless, it is generally admissible that physical acquisition prevails overlogical, because it allows deleted files and any data remnants present to be examined [20].The nature of physical acquisition techniques lead to the development of alternate, lessrisky solutions, such as the pseudo-physical acquisition for the Windows Mobile OS [24].It is not further proven though that such techniques are applicable to other OS carriers.

A.2.2 Operating Systems

A factor of heterogeneity which is an impediment against the development of a commonMF framework is the existence of different OSs (mobile platforms). Current market sharegives Android and iOS the prevailing percentages [3]. Other OSs, such as Blackberry andWindows Mobile remain also a popular choice. As already mentioned, these popular OSs’had been the apple of discord throughout the history of MF, as their use would work asa limitation to admissibility of evidence upon court [1, 20].

In generalized terms, low-level modifications grant access to system areas which wereby default protected by each OS manufacturer. The privileges users are gaining after theapplication of a low-level modification vary among different OSs. Low-level modificationscan have a variety of names depending on the OS they are applied to. They are eitherknown as Rooting (Android, Windows Mobile), Jailbreak (iOS) or Capability Hack (Sym-bian). For example, Android users are able to install and run applications that requireaccess to the root directory, such as backup features. In addition to root privileges, iOS

3

users can also install applications not available in the AppStore. Capabilities on Symbiandevices are security mechanisms that can be bypassed by installing a root certificate andthus allowing users to install and execute unsigned applications. A brief overview of theOSs characteristics will be made in the next paragraphs, alongside with their impact toforensic acquisition.

Android was first released in 2007 and in less than five years achieved to be the domi-nant OS in the mobile handsets market. The OS runs on a Linux 2.6 - based kernel, whichserves for supporting fundamental functions, such as device drivers, network infrastructureand power management [14,46,47]. The next level of the Android architecture is the do-main of the libraries, split to application and Android runtime ones. The former categoryprovides the appropriate infrastructure for applications to run properly, such as binariesand graphics support, while the latter consists of the Dalvik Virtual Machine (DVM)and the core libraries that provide the available functionality for the applications [47]. Itsmain purpose is the creation of a stable and secure environment for applications execution.Each application runs in its own sandbox (virtual machine). Therefore, it is not affectedby other applications or system functions. Using certain resources is only permitted byspecial privileges. This way, a satisfying level of security is preserved. While the AndroidRuntime Libraries are written in Java [47], DVM translates Java to a language that theOS can perceive [40]. The rest of the architecture consists of the Applications Frameworkand the Applications Layer that manage general application structure, such as containers,alerts and the applications themselves.

Due to the small chip size, non-volatility nature and energy efficiency, NAND flashmemory was selected to equip Android devices for storage purposes [14, 50]. NANDflash memory needed a file system being “aware of the generic flash limitations and takethese into account on the software level when reading and writing data from and tothe chip” [50]. Yet Another Flash File System 2 (YAFFS2) was the first file systemimplemented for devices running Android. After some years of actual use on the otherhand, many issues concerning system performance, velocity of input/output actions andlarge files coverage occurred. As mobile devices architecture tends to follow the path ofdesktop computers and acquire multiple core processors, another obstacle arises, sinceYAFFS2 cannot support the specific technology [23]. Right before the release of ver. 2.3of the OS (Gingerbread), the file system was replaced to EXT4. The specific file system,apart from successfully coping with the weak points of its ancestor, is enhanced with thejournaling event function [23], which provides recovery options and facilitates acquisitionof unallocated files.

Android provides potential developers with the SDK (Software Development Kit),which includes a very important tool for forensic and generic purposes, the AndroidDebug Bridge (adb). Adb uses a TCP or USB connection between a mobile device and acomputer. The appropriate software is installed at both sides in order to acquire debugginginformation, start a shell session with the provided interface, initiate file transactions andadd or remove applications [14,40,46]. Since adb grants a terminal interface, actions likerooting and memory image extraction can be easily performed.

NAND flash memory was incompatible to the Linux-based kernel. A new techniquehad to be implemented for providing the software components with the ability to accessthe flash memory areas [46]. Memory Technology Devices (MTD) system was one of thefacilities serving as an intermediate between the kernel and the file system and is presentin many Android devices. Handsets that do not support the MTD system usually utilize

4

the plain Flash Transaction Layer (FTL) that enables communication between the twoparts [14]. Although there are no restrictions concerning the MTD numbers or types, acertain standard had been adopted from many device manufacturers [14, 26, 46]. MTDsare divided to several partitions, according to the type of information they store. Theycan contain information about booting, recovery, user data, configurations, cache andsystem files.

Blackberry OS devices are designed by the RIM Company and are considered themost popular within the business world. Few things concerning the OS itself and itsingredients are known, since the manufacturer doesn’t provide sufficient documentation.A significant attribute concerning the OS is that it consists of two separate runtimeenvironments, one Java ME-based destined for applications and one MDS-based, destinedfor network functionality and operations. User data, such as contacts, messages, imagesand OS artifacts are stored in databases, which are the acquisition target of every forensicoperation.

iOS was first released in 2007. It is a UNIX-based OS, partially following the archi-tecture of the MacOS X equivalent. The main storage device of a mobile phone runningthe iOS is divided into two partitions. The first contains the OS fundamental structureand the applications, while the second contains all the user-manipulated data [16]. Thetwo bottom layers, Core Services and Core OS provide support for low-level data types,network sockets and file access interfaces. The Media Services layer consists of the infras-tructure responsible for 2D and 3D graphics, audio and video. Finally, the Cocoa Touchlayer contains two subcategories, the UIKit, which is equipped with the appropriate in-terface material for applications and the Foundation framework, which is supporting filemanagement, collections and network operations [47].

Maemo is a Linux-based, open source OS. Even though it is not widespread and itsdevelopment has been frozen since Oct. 2011, there are some research-oriented interestingfeatures, such as the fact that user data, OS functions and swap spaces are situated indifferent partitions [27].

Symbian is one of the older OS in the category, with its first release taking place in1997 as EPOC 32 and discontinued after January 2013. Applications are mainly writtenin Java, while its native language is Symbian C++ [29]. Since many different versions ofthe OS exist, it is inevitable that slight variations concerning its architecture will also bepresent. The UI Framework is the upper level and consists of the infrastructure responsiblefor user interface functionality. Below that resides the Application Services Layer, hostingessential services for applications to run properly. A separate layer is devoted to Java ME,in order to provide compatibility with the OS. It contains the virtual machine and somesupportive packages. Networking services, handlers and components, graphic supportelements and generic services are combined under the OS Services Layer. Lastly, thelowest level concerns the hardware and kernel infrastructure [30,47].

The Windows Mobile OS is the evolution of Windows CE, used mainly on handhelddevices, such as palmtops and PDAs [39]. It is a Windows-based system, with similarproperties specially modified so as to apply to the nature of mobile devices. One of thebasic examples in this category is its file system. The T-FAT file system (Transaction-safe FAT) is a variation of the FAT file system used in desktop versions of Windows,enhanced with recovery options [24, 47]. Devices incorporating this OS support eitherNOR or NAND flash chips. Likely to mobile OSs mentioned before, the architecture ofthe Windows Mobile OS consists of similar layers. That is, the upper layer, Application UI

5

the median between the user and the applications and the lower layer (above hardware)that provides the appropriate infrastructure for completion of system-oriented routinetasks, such as start-up, networking and other functions [38]. The Framework and CLRlayers contain libraries serving to execution and performance of applications.

A.2.3 Data Types

Data acquired from forensic examinations can be also classified, depending on their typesand the entity that has access to them. The first group consists of data handled and alteredstrictly by OSs, such as connection handlers (GPS, WiFi) and OS defaults and structuralelements (IMEI, IMSI). The second group concerns data imported and edited by users,such as text messages, contact lists, pictures and all sorts of customized application data.Data used by applications as background procedures and other similar entries manipulatedby applications, form the third category.

Table A.3 offers a complete view of the areas where forensically significant data arestored in each mobile platform. Note that Databases and External Storage are present inevery OS, thus pointing out that a common framework can be implemented towards theiracquisition. The RAM Heap and Shared Preferences are unique features of WindowsMobile and Android carriers. The more popular an OS is, the more research effort isdevoted to it. This way, areas that were not supposed to contain important data arebrought to surface. On the other hand, OSs with not distributed documentation, such asBlackberry, are harder to examine.

Table A.1: Forensically Significant Data per OS

OSDatabases

or Files

External

Storage

Shared

PreferencesNetwork

System Logs

or Registry

RAM

Heap

Android X X X X X

Blackberry X X

iOS X X X X

Maemo X

Symbian X X

Windows Mobile X X X X X

A.3 State-of-the-art

A.3.1 Standards Background

Given the fact that MF is a relatively new discipline and presents big deviations fromcomputer forensics, similar standards cannot be straightforwardly applicable. A firstattempt to create an ISO certification was published in Oct. 2012, containing guidelines ofgeneral acceptance. “The fundamental purpose of the digital forensics standards ISO/IEC27037, 27041, 27042 and 27043 is to promote good practice methods and processes forforensic investigation of digital evidence” [17].

National Institute of Standards and Technology (NIST) has been actively involved inpublishing guidelines for MF investigation regulations, in a series of Special Publications(SP). The two most recent publications are SP 800-101 [20] and Reference Materials NIST

6

IR-7617 [21], which had superseded the obsolete SP 800-72 [18] and NISTIR 7100 [19]issues.

At least for the time being the work conducted by [20] is considered a milestone inthe field of MF.

However, these guidelines are not a theoretical set of rules, but rather assumptionsderiving from experience in field investigations. They determined their own work asmeans to help organizations evolve appropriate policies and procedures for dealing with cellphones, and to prepare forensic specialists to contend with new circumstances involving cellphones, when they arise [20]. They set their report of standards as an essential backgroundfor every upcoming investigation but not as a strict set of orders, since exceptions to rulescan always be present. Their report was edited according to the regulations imposed bythe Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347.

The authors also state that a forensic investigation must be a sequence of actions,consisting of the following steps: acquisition, examination, analysis and reporting of re-trieved data [20]. An official set of regulations demands a proper technical backgroundsetup. As a result, the authors provided the potential readers with the most importantinfrastructure elements of mobile phone providers’ networks and devices. It is thereforenotable that researchers who took this guide into consideration followed the same patternwith small or no deviations, since it was used as a list of prerequisites and limitations inmany researches [2, 25, 31,34,46].

Afterwards, they classified the acquisition techniques into two main categories; physi-cal and logical, while making a brief explanation of the characteristics of each one. Theyproposed that conduction of both acquisition types would be the most complete solutionunder real-time investigation circumstances. In addition, they enumerated the officiallycertified forensic tools and the attributes coverage each one has. By the time of publish-ing, the majority of tools implemented concerned SIM modules. Tools supporting mobiledevices OSs have also been developed, but in a more limited scale.

Lastly, on the specific area of interest, they posed the main challenge concerningefficiency of forensic tools. That is, an acceptable tool should be capable of preservingacquired data integrity to their original state. This could be achieved by the use of hashfunctions.

Their study also concerned the setup of the investigation scene and limitations thatwould prevent an acquisition from being admissible upon court. The most significantpart of the research was the one concerning data handling upon and after the crimescene. Based on the Good Practice Guide for Computer-Based Electronic Evidence [1]regulations, they concluded that there should not be any data modification after deviceseizure and every step of the investigation should be documented by certified professionalsand guided by the overall responsible practitioner. These specific restrictions are the mainsource of trouble to the technical part of the investigation because their attributes arecontrary to the nature of mobile devices. Description of data and evidence preservationwas the next key point in their report. Seized devices should be stored in forensicallysterile means, be disconnected from any networking source and their state should remainas close as possible to the one it had at the moment of discovery.

Moreover, investigators are challenged to acquire any possible non-technical evidencefrom the device, such as fingerprints and DNA, before proceeding to further technicalexamination. Network isolation had been the apple of discord, since there have been twodifferent disciplines towards that direction. More specifically, switching the device off

7

might activate security mechanisms, while network isolation through flight mode wouldalter the device state. One of the first dilemmas concerning acquisition, was whether itshould be performed on the fly, or inside a forensic laboratory. After enumerating theessential information about the device without interacting with its software, investigatorswere able to begin the acquisition procedure for all the memory types present on thedevice. The first step was to ensure that certain prerequisites are present so the acqui-sition procedure to start without any errors or misuses. Some important features to beacquired in the beginning were date and time. Extra attention should be paid in case ofintentional changes on date and time from the side of the suspects or unintentional, incase of battery removal. In this direction, the authors provided an extra appendix with adetailed acquisition process, enhanced with screenshots. They next set a priority queuefor acquisition types. Due to the risks that may appear during physical acquisition, it ispreferred that logical acquisition should be performed first. Then, acquisition for identitymodules is described.

A whole chapter section is devoted to powered-off devices or handsets that require anykind of security code, providing the available solutions in order to bypass or acquire theessential codes that can be either hardware/software driven, manual or even supportedby help from a provider.

Special sections are also provided for removable storage media and other peripherals.The section concerning the examination procedure is the phase after acquisition wherethere is no longer interaction with the device. Logical and/or physical images had beenexamined for data of forensic interest, or even for data that could work as medians toother data, such as passwords stored in a database. Acquired data had been classifiedto an extent that can determine the actors, places, time and motive of an incident. Thesame section also contained information about subscriber details and call records that canbe acquired from a telephony service provider. In the last chapter referring to reporting,the authors provide a detailed guideline concerning on diffusion of the data acquisitionresults.

A.3.2 Android Forensics

Lessard and Kessler’s work [26] concerns the procedure of acquiring a physical imageand performing logical acquisition on an Android device. The test phone used duringthe experiments was an HTC Hero running Android 1.5. They suggest a simultaneousexamination of both the flash memory and removable SD memory card. Removablememory cards may not store critical types of data, but some of them could be usefulto the investigators. Examination process referring to the removable card can easily beperformed by a commercial tool, in their case AccessData’s FTK Imager v.2.5.1. The useof a write blocker was a prerequisite, in order to avoid data modification. This is partiallyachieved by documenting all the actions performed on the target device. It can later beverified that the sequence of actions did not compromise the integrity of the evidence [20,29]. On the other hand, internal memory contains more data of major forensic importance,such as contacts and calls lists, text messages etc. Physical acquisition cannot take placewithout gaining superuser privileges on the target phone. Rooting is achieved by using athird party program or an exploit, but it alters system data and results in preventing thedevice from being forensically sound. The authors assume that this is the only way toachieve an acquisition of a physical image at least until some other way of altering data ina minor scale is discovered. After successful rooting of the target phone, the investigators

8

were able to access every possible area within the phone memory. MTD blocks, whichallow for the embedded OS to run directly on flash, contain useful information, such assystem files and user data [26]. By using the disk duplicate (dd) command on adb shell,images of each mtd file present in the \dev\mtd directory were acquired. Afterwards,memory image files were examined by a commercial forensic tool kit and useful files andentries are extracted. Using a forensic toolkit not only facilitates the forensic procedure,but also enables partial or full reading of fragmented and/or corrupted files. Flawlessextraction of data was impossible. Nevertheless, data from all three categories (strictly OSmanipulated, user data and application data) were returned to the researchers and formeda satisfying image concerning the use of the target mobile device. Useful information hasalso been retrieved from system databases and web browsers via logical examination ofthe \data\data directory.

UFED, another hardware forensic tool performing logical acquisition only was usedby the authors in order to have a more accurate image of the extraction results. Aftergathering and comparing data extracted from both kinds of acquisitions, Lessard andKessler concluded that each one contributes by providing satisfying results in differentkinds of data. Despite the fact that their research was conducted during the very beginningof the Android forensics discipline, the results provided are accurate and the researchattracted significant attention in future works.

Andrew Hoog [14] set the milestone in the field of Android forensics. After a brief in-troduction to forensics of all scales, he categorized and presented in a detailed way the twodominant acquisition techniques, logical and physical. In this work also, the data integrityand presentation of a forensically sound set upon court was disputed, since the natureof mobile phones functionality is not compliant to the existing regulations for computerforensics [1]. At first, Hoog set the framework for handling a device before the beginning ofany acquisition process. The steps proposed include bypassing user passwords for screenlocking or deactivating it by the settings menu, dealing with switched-off devices, isolatingthe device from any network sources and being aware of providing charge when needed, soas to avoid interruption before or during the acquisition process. Right after enumeratingthe possible ways of network isolation and evaluating the advantages and disadvantagesof each one, the author concluded that the most appropriate method is enabling flightmode of the device, if possible. Then, he suggested the use of adb in order to check foran existing usb connection and then perform the task of logical acquisition. Naturally, ifthe target device is not rooted, adb connection will not be completed successfully.

Later on, he described the physical acquisition techniques, Joint Test Action Group(JTAG) and physical extraction (chip-off) and proposed their application when the in-vestigators wouldn’t be capable of performing a logical acquisition. Hoog provides an indepth presentation of a forensic examination of the removable (SD) or embedded (eMMC)media, while similar field studies simply neglect the subject. Bypassing security codeswas a major issue faced. One applicable technique, concerning on-screen shape locks, wasthe so called smudge attack. That is, pattern locks could be revealed by using differentangles when shedding lighting on the screen.

An alternate solution was booting into recovery mode, considered obligatory if thedevice had been powered off. The author focused on the use of a write blocker in ordernot to alter the state of the device by mistake. Afterwards, he enumerated and describedthe most popular logical acquisition techniques, including adb, AFLogical tool, CellebriteUFED and others. Also he provided a detailed description of hardware (JTAG) and

9

software (bootloaders) physical acquisition techniques and emphasized in the importanceof the use of MD5 hash functions in comparing the acquired files.

As smartphones started becoming more complicated than their ancestors, new at-tributes have been added at their functional state. One of them is the Global PositioningSystem (GPS), uses of which varied from checking in actions for social networks to nav-igation purposes and images metadata. Data logs from such applications or even rawforms from the GPS system itself are a valuable source for investigators, since they areable to enlighten cases in depth, especially when they are enhanced with timestamps.In this context, the work by [28] introduces a technique that serves in acquiring all theavailable geodata present inside a smartphone. They claimed that rooting is obligatoryin order to gain access to applications containing the needed data. The extracting pro-cedure consisted of the following steps: (a) performing search queries for attributes suchas latitude, longitude, and altitude in application databases, and (b) storing them to adatabase suitable for the specific type of data. Also, the authors correctly observe thatdata concerning geo-position can be stored in other forms, such as text metadata thatcould make their acquisition a difficult task. If so, the data can also be retrieved bysearching for specific terms related to location and then stored in a database appropriatefor their form.

Geodata conversion functions are taking geodata or metadata as input and returnthem in human interpretable format for further editing (XML). A way of presentinggeodata in a compact form is by the use of an API, similar to Google maps, containingpins and other significant enhancements. Apart from specific locations, the presentationprocedure can also return the routes the device owner followed. Taking this into account,the researchers implemented a forensic acquisition tool, coined Android Forensic Toolkit,suitable for Android ver. 2.2 devices and geodata analysis and presentation was a featureunder development. No linkage between the data extraction procedure and the programwas provided. They came to conclusion that forensic analysis deriving from geodata is aprecious source of evidence and the data to be extracted should be taken into considerationin potential acquisition procedures.

[25] implemented a live-forensic acquisition procedure, based on commercial forensicsuites through cloud computing, designed for Android devices. After a brief introductionto the Android OS and forensic legislative guidelines [20], they enumerated the prevailingfeatures of cloud computing and how it could preserve a secure background, suitable forconducting forensic acquisition. They concluded that a cloud computing service, GoogleCloud Service in their case, could satisfy a variety of conditions, such as security prereq-uisites, browser-based applications, bigger storage capacity and lack of time and locationrestrictions. At first, the researchers demonstrated the system architecture, which con-sisted of an https bridge between the cloud service provider and the workstations anddevices. As soon as investigators downloaded the appropriate forensic software, theywould be able to start data extraction. Acquisition type was not specified, but, judg-ing from the data types the software was able to retrieve and the fact that no rootingtechniques were mentioned, the procedure resembled to logical acquisition that can applyto rooted devices as well. One interesting and unique feature of the method was actualdate correction, since proper time-stamping is an essential for the validity and integrity offorensic analysis methods. The research would be considered complete as soon as resultsof acquired data would be diffused. A study focusing on comparison between cloud andclassic forensic acquisition will enlighten the effectiveness of the method.

10

YAFFS and YAFFS2, the file systems present in devices running the Android OS,are the most frequently discussed within literature. The authors in [35] performed anexperimental research, with logical and physical acquisition techniques and tools (adbpull, NANDump, xRecovery and Yaffs2utils) on a rooted Sony Xperia 10i device. Logicalacquisition was not able to acquire the full size of the file system, while physical, asexpected, achieved a bitwise acquisition of the flash memory. Physical acquisition withspare data included followed a different approach, since the researchers needed to rebuildthe YAFFS folder structure. Through the hex viewer WinHex, they had been capable ofrecognizing the retrieved file headers and add timestamps to many of them by convertingthe equivalent hex values. Since many different tools were used, acquisition results hadbeen fulfilling. Quick and Alzaabi claimed that NANDump has generated a completecopy of the internal NAND memory. Lastly, they proposed the implementation of a toolor method which would be able to directly read and interpret the YAFFS file systemelements. Such a utility would facilitate forensic investigations. Since Google swappedthe file system type to EXT4, such a research would be useful for the older devices, butoutdated.

[40] proposed a forensic acquisition framework for the Android OS. Their frameworkhas been presented in a flowchart form, since there had been many different states of targetdevices, such as rooted or not, switched on or off, upon access control or not. Even if theirmodel can be applicable to many scenarios, it is missing some crucial elements concerning areal-time investigation. The additional information in their proposal concerned acquisitionon damaged devices and fragmented memory page analysis. In order to validate theeffectiveness of the model, [40] conducted experiments on devices with different conditionsand figured out that the proposed scheme was applicable. However, they admitted thatfurther research should be conducted so as the framework can be kept up to date withthe upcoming versions of Android. A more enhanced version of the existing model wasintroduced by [33], even though their goal was not the implementation of a framework.

[41] referred to a lack of studies applicable to physical acquisition in the contextof MF. They highlighted the importance of this issue, unlikely to many other researchesthat bypass the subject. The researchers presented “a methodology for acquiring completememory captures from Android, code to analyze kernel data structures and scripts thatallow analysis of a number of user and file-system based activities” [41]. Also, theyenumerated the existing methodologies on volatile memory analysis for Linux and AndroidOSs and compared the capabilities of the corresponding tools. Before proceeding toacquisition, they had to face the rooting challenge. They considered it a necessary evilbecause the code expected to return the memory image had to access the device kernel.There had also been an attempt for memory acquisition with the use of methods destinedfor the Linux OS.

The results of their experiments proved that Linux oriented techniques were incom-patible to the Android OS, since plentiful bugs, such as not existing functions, limitedsize of offsets supported by the (well-known) dd command and insufficient percentage ofacquired memory appeared. Moreover, some global issues arose, since not every kind ofdevice showed identical behavior. The primary cause for this incident was the differenceamong ROM types and kernel modes and is yet to be discussed in future work.

Next, they presented the implemented method, namely DMD. The procedure con-sisted of the following steps: accessing the iomem resource kernel structure to acquire thebeginning and ending point of RAM, converting to virtual memory and copying the se-

11

lected segment to a removable storage device or a TCP port. This method prevented fromparsing of useless parts of the memory and enabled flawless execution of commands, suchas dd, cat etc Additionally, the procedure had been less time and resources consuming.

The researchers performed a case study of both types of acquisition on a rooted HTCdevice. TCP acquisition used adb bridge to achieve port forwarding between the deviceand the workstation. Communication between the two sides was established through asocket and a message header containing the memory range limits triggered the imageacquisition. Memory image was acquired through port 4444 and when the procedurecompleted, DMD terminated the existing connection. They observed that one of themain differences between TCP and SD card acquisition is the initiate parameter pathin the iomem command. The rest of the procedure was similar to memory dumping onSD cards in other researches. Last but not least, they proposed new aspects on futureresearch, concerning the Dalvik VM memory analysis, which offers an analysis to the totalAndroid applications space.

[46] took research to a different level, facing the challenge of forensic acquisition ondevices protected by a screen lock. Since a bruteforce attack on the device was not apreferable method and may lead to further blockage and inevitable data modification,another technique had to be implemented. In this direction, booting with a recoveryimage could easily bypass any kind of active lock code. After enumerating the criteriafor a proper forensic analysis, they proposed an acquisition method based on the use ofan acquired recovery image and adb software on the workstation the device is connectedto. One of the MTD files present in the root folder of Android devices, known as mtd3(recovery mode boot) was significant for the acquisition process of the recovery image.“By booting a device into recovery mode, the normal boot process is circumvented andthe boot target is the bootimg currently loaded in the recovery partition” [46]. After thisstep, using a modified boot image (bootimg) for the device became a routine task. Thebootimg the writers used consists of existing modified files used in adb activation, themost useful demons (dd, nand, su, dump) and other transfer binaries. The researchersimplemented TCP transfer software and used a hash value for integrity preservation ofthe data moving back and forth. Last but not least, they providence for data dumpingwhether the target device was MTD based (NAND dump) or not (dd command). Un-like many other researches [14, 26, 36], the specific one disapproved of rooting the targetdevices, presenting some potential disadvantages of the method. Also, the authors cor-rectly observed that boot options differ between different brands of mobile handsets. Asa result, they examined three separate case studies; one of which was a Samsung devicewithout MTD partitioning. A weak spot of the research is that there were no statisticresults of the retrieved data. However, this can pull the trigger for future experimentsand case studies, since the technique can be applicable to all kinds of data concerninglogical acquisition.

Case studies are experiments adapted to real time conditions. In the field of MF, wheredevice behavior is unpredictable [12], case studies can greatly contribute to the creation ofa holistic pattern concerning investigations. The work by [36] presented the case study ofphysical and logical forensic acquisition to HTC Incredible, a device running the AndroidOS, ver. 2.3. The first part of the device to be examined was the removable storagemedia and since its structure is relatively identical to the ones used in desktop computers,a computer forensic tool, AccessData FTK Imager ver. 3.0.1 was used for acquiring aphysical image copy. It is notable that the researchers used a write blocker to preserve the

12

forensic soundness of the copy. For data integrity purposes, a hash value of the extractedimage was used. Physical acquisition for the internal memory was a more complicatedprocedure. No useful data could be extracted if the phone was not rooted, so, even thetechnique wouldn’t be admissible upon court, they used a third party program in order toroot it. After gaining access to the root directory, they were able to create a bitwise copyof the seven MTDs present in /dev/mtd folder. The next step concerned analyzing theacquired images of the MTDs by using the Ubuntu program scalpel, along with AndrewHoog’s scalpel-Android.conf [14, 36]. After examining the results, they concluded thatphysical acquisition was as effective as described; even unallocated files were retrieved.The fact that some files were corrupted or destroyed was considered a normal side-effectof the method. Logical acquisition provided access to areas where physical was unableto, such as databases. Every piece of information stored on databases, such as contacts,GPS positions, voicemails etc had been retrieved. As in the majority of researches the keyfuture challenge the authors identified was the ability to root a device without disablingits forensic soundness.

EXT4 became the successor of YAFFS after the release of Android ver. 2.3. Amongother features, this version supports the Journaling File System, which, by keeping arecord of actions, enables error recovery mechanisms. During their experiment, [23] usedtwo rooted devices running the Android OS and their research was limited to logicalacquisition. Next, they provide a detailed description of the file system and its crucialelements, memory block contents and journal log area attributes. Forensic acquisition forthe journal log area was summarized in locating the appropriate indicator-block, extract-ing the following blocks until the metadata one and repeating the same until finding ablock signifying the end of the sequence. If the hex values of the block and metadatablock are not identical, then the technique had met an unallocated file.

A.3.3 Blackberry Forensics

It is quite obvious that, the bigger market share a brand captures, the more researchesconcerning it are conducted. Blackberry doesn’t possess a big percentage, but, since it isdesigned mainly for professional and business use, becomes an object of forensic interest.Similarly to other kinds of devices, the acquisition procedure is completed by the use ofthe official Blackberry Desktop Manager (BDM) via the IPD file generation [38]. Apartfrom other features, BDM also serves as a backup manager, which returns an IPD file tothe user and then ABC Amber BlackBerry Converter interprets it to a readable format.The work in [38] proposed a different approach, oriented to database acquisition withthe use of an a software agent. After exposing the most important rules that preservethe legitimacy of the forensic methods [1], they compared them to their method andsummarized the deviation between each one. For example, the use of an agent itselfprovoked changes to the state of the device, since data were modified. This problemwas not only spotted on Blackberry, but on every kind of OS. Blackberry devices havea unique trait that incommodes forensic acquisition methods. Even worse, there is nodocumentation or technical design outline provided by the vendor, so forensic analysts arestarting researches from scratch, with great risks. The method the authors proposed was atype of logical acquisition, since it was a program interacting and extracting the databaseswithin the Blackberry file system. It is notable though that they had not mentioned anyacquisition types or classifications. The .cod agent was based on Client-Server architectureand developed in BlackBerry Java Development Environment (JDE). Apart from accessing

13

databases, it was capable of creating a communication and data exchange stream betweenthe target device and the computer it was connected to. Moreover, the returned resultsdid not need the converter in order to be decoded. Data integrity was preserved by theuse of MD5 hash functions for the retrieved data. The next step consisted of analyzingthe extracted data with Blackberry Acquisition and Analysis Tool (BAAT) that theyimplemented in an effort to propose a complete technique. BAAT extracted acquireddata concerning the target device on .html format. The main challenge they faced doesnot differ from the ones of other researchers and concerns the means a mobile device cancomply to the existing standards of no modification after seizing a device.

A.3.4 iOS Forensics

Zdziarski [49] achieved the breakthrough of implementing a physical acquisition technique,especially designed for the iOS. There are no other similar attempts in literature at leastfor the time being. It was generally claimed that even the jailbreak technique he usedwas superior to other widespread ones [15]. Specifically, the unique feature of the methodfocused on changing an amount of data in the system partition but left the user datapartition untouched. In any case, ideal state of no data modified had not been achieved;a forensically sound image of the user data though had been a breakthrough. Then, hebooted the test device with a recovery toolkit [49], which contained the essential softwareenabling him to obtain a bitwise copy of the memory image. Another notable feature wasthe utilization of SSH in the recovery toolkit for establishing an encrypted bridge betweenthe device and the workstation. Bypassing the protection code was accomplished by theinstallation of the iPhone Utility Client (iPHUC) on the workstation. Finally, file carvers,SQLite Database Software and other recovery/viewing programs were used to convert theacquired image to human interpretable format. Zdziarski contributed a major advance inthe iOS forensics field. The research though needs to be continued, since new versions ofthe OS are implemented and previous techniques may have been already outdated.

Hoog and Gaffaney [15] set the basis of forensic investigation for the iOS, with adetailed outline of the state-of-the-art and applicable methods till that point. Afterpresenting the most important technical attributes, they classified acquisition methods(manual, physical and logical). Commercial forensic tools performing physical, logicalor both types of acquisition took place in the survey, as well as Zdziarski’s physicaldd method [49]. Data extraction was carried out by the iTunes backup feature, withthe automatic synchronization option deselected. The test device, an iPhone 3GS (2.2firmware), not having been through a jailbreak process was filled with any kinds of datathat can reveal user interaction with the phone, as in a real case study. The researchersthen implemented an evaluation method for each acquisition procedure, consisting ofcertain factors, such as ease of installation and use, acquired data integrity, etc. Each ofthe factors contributed in a different scale to the final result, according to its relevanceto the acquisition procedure. When the evaluation was completed, Zdziarski’s methodgathered the highest score. Research results have shown that different forensic tools leadto different acquired data quantity and quality, according to their characteristics.

Morrissey [31] had also discussed logical acquisition on iPhone devices by the use of theiTunes backup feature. The research was applicable to iOS versions prior to 4 that hadnot been jailbroken. The acquisition procedure was enhanced by the use of mdhelper,a command line-utility specialized on data parsing. Mdhelper was not considered anessential add-on; on the other hand, it was able to facilitate investigators navigate through

14

retrieved data at low time cost. Automatic synchronization had to be disabled since thebeginning of the procedure in order to reassure the forensic soundness of the retrieved datasets [20]. After the acquisition point, evaluation testing was similar to the one performedby Hoog and Gaffaney [15]. However, contrary to Hoog and Gaffaney, evaluation resultswere calculated only from the amount and quality of retrieved files. Morrissey concludedwith low tempered attitude towards forensic tools, implying the need for more efficienttechniques.

As already pointed out, one of the prevailing acquisition techniques concerning forensicacquisition from iOS devices is obtaining a logical backup via the iTunes backup feature.This approach was also studied by the work in [2]. The test device was an iPhone 3GS,not having been through a jailbreak procedure. They claimed that, even if there exist afew physical acquisition techniques, iPhone devices are mainly examined through logicalacquisition. After ensuring that conditions of the research were compliant to forensicstandards [20], they connected the device to two workstations (Windows and Mac) andinitialized the backup procedure without triggering the synchronizing option. This isbecause if the synchronizing feature have been powered on, data on the phone wouldbe altered and could not be considered an admissible piece of evidence [20]. On theother hand, some modification to the device data had been traced, since activation ofa write-blocker failed when the computer was connected to the workstation via USB.“The acquired backup was parsed and viewed using specific tools, such as pList editor,SQLite Database Browser” [2] and other file parsing utilities. A unique trait presentin that research was the detailed outline of the whole examination procedure imposingthe framework and its limitations. Some limitations had come to surface during theexperimental procedure the authors followed. iTunes versions prior to 8.2 were unableto interact with the iPhone 3Gs device. This assumption pulls a trigger to a generaldiscipline concerning attitude towards experiments. The more approaches are examined,the more detailed and appropriately oriented a research can be. Since logical acquisitionleads to extraction of a vast amount of data, isolating and analyzing the most importantfor the investigation can become demanding.

Both workstations backup folders were compared to each other. The same sequence ofalphanumeric characters appeared to be the folder name for the two of them, leading theauthors to the conclusion that the file name was a hash function output, unique for eachacquisition deriving from the same device, with the same timestamp. The backup foldercontained several subfolders, each named after a hash function value. “Backup data isstored in three file formats, pList files which store data in plaintext format, mddata fileswhich store data in a raw binary format and mdinfo files which store encoded metadataof the corresponding mddata files” [2]. Special software was used for decoding the filesmentioned above, such as pList and SQL editors. They also made a small reference tomanual acquisition with terminal commands, as an additional data source and meansof comparison. Next, they made a classification concerning the data types acquired.Parsers were used to convert binary files to its original state. Finally, they proposed thedevelopment of open-source software in charge of handling data from pLists, databases andprinting the appropriate reports. Another challenge they picked out was the acquisitionmethods for password protected devices, or groups of encrypted data.

[16] after expressing a general disappointment towards commercial forensic tools per-formance and disadvantages of individual acquisition methods [49] or acquisition tech-niques involving the Jailbreak procedure, proposed a framework for iPhone forensic inves-

15

tigations, consisting of three phases; data acquisition, data analysis and data reporting.The presented procedure does not have notable differences to other studies in the field, butcould be proposed as a general framework. Once more, acquisition had been performedvia the iTunes backup utility, but the researchers did not mention sync deactivation. De-coding retrieved data was carried out through the use of file parsers and plist editors. Forbypassing security codes, they proposed the seizure of the device that may belong to thesuspect or victim. This assumption though isn’t always applicable, since the investigatorsmight not discover any workstations or even the suspect might not posses any comput-ing devices. The arguments they present are not referring to a general condition, so theproposal is rather insufficient to become an official framework for investigations.

Social networks have become the center of attention, since they gain more and moresubscribers every single day. Data deriving from mobile versions of social media can bean important source of information for investigators. The authors in [22] discussed socialmedia data exported from mobile versions of social networks for the ver. 3.x and 4.x ofthe iOS. Even if their research is restricted within the limits of a country, the samplecan be representative since some of the social networking applications used, are popularworldwide.

Before beginning the experimental procedure, the researchers split the acquisitionprocedure to two main categories; the first concerned devices security mechanisms ofwhich had been bypassed by the use of the jailbreak technique, while the other wasreferring to devices that had not been through any kind of change. Less attention wasgiven to the first category, since the authors skipped the acquisition method used. On theother hand, they gave pretty much attention to the second category, where they used oneof the common approaches for acquisition [2], the backup feature of iTunes. Extractedbackup data are the same in both OS versions, but metadata have a different format. Forinstance, in ver. 3.x, the extracted data file has the .mddata extension and the .mdinfois created for the metadata. In ver. 4.x, “all information on the backup file is saved as apair of files, manifest.mbdx and manifest.mbdb” [22].

The next step in the survey was to gather and compare the retrieved results from thesocial networking applications, as well as the paths to data. Data deriving from backupacquisition were stored under a hash value, while those extracted from the jailbrokendevices were stored directly with their file name and type. Next, the information of majorforensic importance, such as multimedia images, user-driven social media attributes andgeolocation data were categorized. A quite interesting aspect concerning multimedia files(photos and videos) was spotted, since an iPhone device by default relates pictures takenfrom its camera to the GPS coordinates of the place it was taken. This information couldbe extracted separately, but this feature couldn’t be used in social media applications,due to the fact that the OS itself creates another picture folder, where photos to beuploaded are stored without the geolocation data available. In the end, they focused onbehavioral analysis of data manipulation concerning each application and concluded thatall of them have different structural attributes. Information concerning temporary filesfrom Facebook could only be retrieved from Jailbroken devices. The research gives foodfor thought for further experiments in the field of social networking applications.

Within their research, [45] determined the iTunes backup utility as a prevailing methodfor logical acquisition from devices running iOS. First off, they detail on the features thatprovide forensic importance to iTunes. One interesting aspect was the explanation onhow application data reside in, and can be collected from an iPhone handset. Technical

16

details had been analyzed in depth; however, there was no trace of compliance to MFstandardization. For example, the option of de-activating synchronization was not evenmentioned. After that, they enumerated the arguments concerning data deriving fromsocial network and chatting applications (Facebook, WhatsApp Messenger, Skype, Win-dows Live Messenger and Viber) use, which was the initial scope of the research. Thetest device was an iPhone 4, running iOS ver. 4.3.5. The experiment consisted of twophases. The first concerned data acquisition after apps installation, while the secondafter deletion. All the applications tested, apart from Facebook, stored additional datain the backup folders, which could be easily decoded by the use of pList editors and anSQLite browser. Results were satisfying the needs of a forensic investigation, but therewere still some parts needing extra attention, such as those concerned with encrypted andunallocated data. The case study of a device being through jailbreak has been neglectedin this research as well.

A.3.5 Maemo Forensics

Lohrum [27] studied forensic acquisition from the Nokia N900 smartphone running theMaemo OS. Maemo isn’t a widespread OS. Hence, forensic studies on the field are limitedto few resources only, but physical and logical (mentioned as triage) acquisition meth-ods are present as well. The author made an introduction to the technical details ofthe Maemo OS, focusing on its Linux origin. Features present on the phone that wereconsidered innovative by the time it was released in the market were the Unix terminal,VoIP communication and game consoles emulators.

Since there is poor documentation concerning forensic acquisition in Maemo devices,the author’s first goal was to find the places data of major importance were residing in.The procedure he followed didn’t deviate much from methodologies used for other mobileplatforms. It consisted of the following steps: manually entering data and interactingwith the device, acquiring a bitwise physical copy of the phone memory image, decodingthem via a forensic tool, comparing the data to the original ones and finally performinga limited triage extraction onto a microSD card [27]. Before proceeding to the physi-cal acquisition, the researcher eliminated possible interactions of the phone with everypotential network connection. However, for achieving the physical acquisition proceduresuccessfully by the use of the dd command, he had to root the target device. A uniquefeature of the acquisition process was that the image was transmitted to the workstationcomputer by an SSH tunnel. Another characteristic of the specific handset that couldfacilitate forensic research was the fact that user data, OS and swap space were situatedin different partitions. This way, rooting could affect only one of them, enabling foren-sic soundness preservation to the not affected ones. After locating the most importantdata within the file system, he conducted a logical acquisition by an automated script,coined N900TriageExtraction.sh, which contained copying commands. In the end of theacquisition, the script was deleted.

A.3.6 Symbian Forensics

The work by [29] discussed the development of an on-phone forensic logical acquisition toolfor the Symbian OS (V. 7), which is based on the dd technique on portable devices runningLinux [29]. At first, they made an introduction to Symbian OS characteristics and thenclassified potential acquisition methods. Their approach consists of manual acquisition,use of forensic tools, logical acquisition including a connection agent, physical acquisition

17

and data acquired from service providers. Use of forensic tools as a separate category isdisputed, since they serve as automated solutions in order to interpret logical and physicalacquisition results to human readable format. On the other hand, data retrieval from aphone service provider was beyond the scope of this paper. It would be more appropriate,if its use was complementary to the results deriving from manual, physical and logicalacquisition tasks, for guaranteeing data integrity. However, the classification provided bythe authors, depending on the period of time the article was written, is quite accurate,since it was only then that mobile devices started becoming complicated and needingdifferent kinds of acquisition, apart from SIM module and phone service provider ones.

Moreover, they clarify that when interaction of a forensic tool with the target mobilephone is kept at a low scale, then it is more likely the evidence deriving from it to beadmissible upon court. After enumerating the possible ways of installation concerningthe on-phone tool, they came into the conclusion that the way that causes less datadifferentiation is saving the tool installer on an external memory card and then placing itinside the target device. They characteristically state “Even though it may change certainparts of the OS, the changes are very little compared with placing an entire installer whichstill has to be extracted” [29]. This approach was the optimum, preventing alterationsof data, but presented other disadvantages. Specifically, acquired data were stored in thesame memory card carrying the application installation file, so the acquisition destinationwas not forensically sound.

Furthermore, they used recognizers, which “are written as plugins to the MIME Rec-ognizer Framework and are scanned for and loaded during operating system startup” [30].Thus, their tool was able to start when the phone was booting, and thus avoiding furtherinteraction. Choosing between Java and development of a native application using C++Symbian programming language was another challenge faced. The option selected wasthe native application one, since it gained access to lower levels of the OS by default; thisway, acquisition of bigger portions of data was possible. Another negative trait of thetool was that it was unable to acquire data from applications being executed at the sametime, since it couldn’t handle the processes running. As a result, data of high forensicimportance could not be acquired, such as call logs and contact lists (CallLog.dat andContacts.cdb files). Data retrieved were mainly modified and created by the users andhandled by applications. There was no trace of data manipulated by the OS or otherstructural elements. Despite the fact that the method presented had major issues waitingto be solved, it became a source for further research.

After a brief but fruitful presentation of the state-of-the-art concerning both smart-phone usage spread and forensics standardization, DiStefano and Me [11] proposed an-other on-phone logical acquisition tool for devices running the Symbian OS v. 8 andolders. Even during a period when acquisition was conflicting with the use of commercialforensic tools and performing a bit-by-bit acquisition of the internal memory of the devicewas considered an impossible task, they achieved to retrieve the complete Symbian filesystem. MIAT (Memory Internal Acquisition Tool), the tool they developed, is consideredthe evolution of Mokhonoana and Oliver’s equivalent [29]. However, taking into consid-eration that the versions tested were older than 9, there was no security mechanism tobypass. During the acquisition process, the tool opened and copied on read-only modeeach entry it stumbled upon while traversing the file system tree.

The authors also managed to correct previous defects, since the memory card insertedinto the device for performing the acquisition was forensically sound and divided into two

18

different partitions; one containing the tool application installer and the other destinedfor the acquired data. Moreover, the acquisition procedure was enhanced with the useof a hash function in an effort to assure that the data retrieved were identical to theoriginal. They also conducted experiments comparing MIAT to Paraben Device Seizure,a commercial forensic tool, and P3nfs, an application which is not a forensic one, but wasclaimed to mount Symbian file system into Linux file system [11]. After completing theexperimental process, it was assumed that MIAT showed many advantages compared tothe other tools. Parallel support for simultaneous examinations reduced the time neededin order to complete the investigation. Moreover, files that succumbed to changes afterthe use of MIAT were fewer than the ones Paraben tool changed.

Last but not least, the extracted data size was almost the same for both tools. MIATwas properly documented and researchers set the proper base for future research, supportof ver. 9 and ameliorations. Another accomplishment noted was the further developmentin order to give the tool a form that could support real-time investigations. It is obligatoryto mention that there was no reference concerning the types of data acquired. This factwould make the research procedure more complete and clarifying.

[48] noted the forensic techniques incompatibilities between smartphones and onesrunning the Symbian OS and claimed that the latter call for a totally separate approach.Firstly, they conducted a research concerning the investigation models applicable to theDF field. Before proposing a similar model for the Symbian OS, they exposed the state-of-art for the specific kind of phones. New security mechanisms, starting from ver. 9.0(capabilities) and their effects on a potential forensic investigation were discussed.

The proposed model consists of 5 stages. The first one concerns acquisition of theversion and model without directly interacting with the OS. It is also checked whetherthe mobile device is protected by security mechanisms or not. If security mechanismsare present, then investigators use a protocol or a hardware approach concerning phys-ical acquisition (via remote connect and response protocols or JTAG chip connectionrespectively). The techniques mentioned are the ones interacting less with the securitymechanisms. Their only interference includes gaining access to the swipolicy.ini file andthen root privileges on the device. If security mechanisms are not present, then the use ofevery forensic tool is applicable. Poor documentation concerning acquisition types, otherthan a reference to Mokhonoana and Oliver‘s tool [29], is reducing the reliability of themodel. The next steps apply to extracted data analysis and dissemination of the result.Another negative aspect is the lack of documentation concerning standards in the field.Nevertheless, if extended, their [48] process model can be useful for future investigations.

[34] created Symbian Memory Imaging Tool (SMIT), which is mentioned to be thefirst on-phone tool to create linear bitwise copies of the internal flash memory. SMIT,designed for Nokia cellphones, is mainly based on a hybrid method consisting of logicalacquisition techniques and boot loader class methods. It also makes use of the SymbianOS API in order to gain access to the file system of the device. The researcher claimsthat the developed tool is able to recover hidden data from slack and unallocated areasof the memory, due to the support provided for low-level system calls. Since SMIT is anapplication installed in the mobile device and used for live forensic purposes, it alters itsoriginal state. As a result, the researcher adopts techniques for the application to be ableto comply with the NIST Guidelines on Cell Phone Forensics [20], such as use of MD5and SHA-1 hash functions and reducing write traces. The application it is claimed to becompatible with Symbian Ver. 8.1 and newer. Tools accessing the lower level API instead

19

of the file server one are automatically acquiring more privileges over drive manipulationand access. It is notable that SMIT acquisition was more efficient on the test devicesrunning Symbian 9.0 than on the 8.1 ones. On 8.1 ones, the only partition recoveredconcerned system data, while 9.0 devices returned both system and user data partitions.

Pooters claims that further research needs to be conducted for ver. 8.1, but takinginto consideration the current market share, priority should be given to other mobile plat-forms. Rooting, is also present in Symbian cell phones. For installing SMIT properly, itwas obligatory to use a capability hack. Bear in mind that capabilities are a mechanismto control the actions an application is allowed to perform on the OS [34]. In this case,Pooters used the HelloOx [42] modification, a hack destined for rooting Nokia mobilephones. After HelloOx competing drive mapping, it extracts itself directly on the vir-tual ROM drive, proceeds to root certificates installation and patches memory pages toprevent the capabilities mechanism from functioning. Nevertheless, compliance of Hel-loOx and other third party rooting applications with forensically sound disciplines is stillcontroversial [20].

Moreover, the author proceeds to a brief presentation concerning analysis techniques ofretrieved flash memory images. Then, he exposes data types of forensic interest acquiredfrom the device, varying from application data to to those edited and deleted by the end-user. Developing a tool like SMIT was a big step in the Symbian forensics field, since noneof its predecessors, such as MIAT [11] were capable of retrieving a bit–by–bit copy of thefile system. Moreover, it had the unique trait of deleted data retrieval, which is a weakpoint concerning logical acquisition based tools. Access to the low-level OS API callsallows the advantages of logical acquisition to combine partially with physical acquisitiontraits without facing the circuit destruction challenge. Due to the hybrid nature of SMIT,Pooters provided a slightly different classification of acquisition methods. He dividedphysical acquisition in two categories, Chip extraction and JTAG, while adding the levelof Bootloaders between physical and Logical extraction. Yet another research standsagainst the obstacle of rooting without altering the original state of data on the device,but the use of hash functions preserves data integrity. Further research needs to beconducted for the retrieval of files altered by the OS itself, such as GPS and PIM activity,but also for the ones residing in databases. Expanding functionality of SMIT to otherbrands apart from Nokia would be a positive outcome as well.

Thing and Tan [44] went further through the Symbian forensics field. They mainlyfocused on retrieval of privacy protected data on smartphones running the Symbian OS.The two devices used in their experiments were running OS ver. 9.4 S60 5th edition and9.3 3rd edition. Their study concerned acquisition of allocated and deleted SMS fromthe internal memory of the devices. No acquisition type was mentioned, but since theirstudy was concerning protected data, it could be applicable to both physical and logicalmethods.

At first, they exposed the current situation concerning SMS recovery tools and con-cluded that their area of influence had been quite limited and effective in certain particles,such as the SIM module.

Next, they claimed that the main obstacle in internal memory acquisition is the ex-istence of default security mechanisms, not only for the Symbian, but for other mobileplatforms as well. As versions of OSs evolved, it is becoming more difficult to penetratethe security locks that preserve the integrity and availability of sensitive data. As a result,they implemented a technique to bypass the AllFiles capability that leads to unlimited

20

access to the Symbian filesystem. The researchers managed to create a sub-directory(\sys\bin) under any directory in the phone, place executable files in it, and then mapit to a new drive letter, thus effectively putting these executable files into the valid exe-cutable path. They also configured a Symbian Authority Certificate and integrated it inthe device with the aid of the mapdrive API, by triggering the Symbian Certificate Store.By doing so, they have been capable of allowing their tool to acquire permissions of exe-cuting different kinds of commands while leaving other security mechanisms activated andproviding them from intervening to its functionality. This is considered a revolutionarytechnique, since its predecessor capability hacks like HelloOx different versions [34] totallydisabled security mechanisms, making the device a potential target for malicious attacks.Since security locks had been bypassed, they were able to locate the previously invisiblepath to the folder containing the unallocated and active SMS within the internal memory,which is the \Private\1000484b\Mail2 one. They figured out that each file entry insidethe folder referred to an allocated SMS. Moreover, they implemented an algorithm inorder to perceive properly the actual packet and message length [44]. Acquiring deletedSMS from the index file was a slightly different procedure. The fact that every deletedmessage started with a certain sequence of digits and alphanumeric characters facilitatedtheir work. Along with a maximum number of bytes (64) that had been noted for everydeleted entry and observation of different kinds of indices, messages up to that bytes limitcould be partially or fully recovered. Researchers proposed future expansion of the sameexperiment to other types of protected data, such as MMS, e-mails notes, etc.

[43] developed a physical acquisition tool for Symbian phones, entitled Symbian Ac-quisition Tool (SAT), written in Symbian C++. The test subject phone was a Nokia N97running the S60 5th edition. The tool is composed of an Acquisition Program, a MemoryExtractor Module, a Hash Generation Module and a File Compression Module [43]. TheAcquisition Program triggered the Memory Extraction Module, which stored the bitwisecopy of the memory image at a removable storage media. The Hash Generation Modulewas necessary, since it computed the SHA-1 value for future verification tasks. The FileCompression Module was used for reducing the image copy size in order to fit to theremovable storage media. The next step concerned filling the device memory with differ-ent kind of data, deleting and/or adding new ones and extracting the results concerningfragmentation as well. It seemed that fragmentation levels were higher when many filemodifications were taking place. Research would be extended with other models exceptfrom Nokia ones and other OS versions.

A.3.7 Windows Mobile Forensics

Klaver’s work [24] has been an influence to many future researchers since not only it in-troduced revolutionary techniques in the MF field, but also discussed the most significantparts of the hardware and software related to them. His work concerned the study of phys-ical acquisition mechanisms on smartphones incorporating the Windows Mobile OS, ver.6.0. The most significant attributes of forensic importance were the bootloaders and theRAM heap present in most of the Windows Mobile handsets. Bootloaders are the softwarecomponents responsible for extracting a physical binary image of the memory of the de-vice. Despite the fact that bootloaders exist in smartphones carrying other kinds of OSs,only Klaver gave a detailed description of their utilities and applications in the forensicscience. He also mentioned that if a bootloader is prevented from being accessed, manyproblems concerning a potential forensic extraction might occur. Moreover, he argued

21

that the RAM heap is a treasury of unallocated data or data deriving from interactionwith applications, since most buffers reside there. Just like other researchers, he tookhighly into consideration and tried his research methods to comply with the admissibleforensic practices upon court [20] and assumed that a sound investigation requires inactiveconnections and heap alternations on the target handset. After categorizing acquisitionmethods to logical and physical ones, he reached the conclusion that even though physicalacquisition is more effective it is dangerous for both the mobile phone and data stored init.

On the other hand, he claimed that logical acquisition can become insufficient if ac-cess to certain areas of the memory is prohibited and forensic soundness can becomecompromised if bypassing modifications are used. He then presented a pseudo-physicalacquisition technique, as a mix of characteristics from both types of acquisitions. Theactions set consisted of a bitwise copy of the flash memory image obtained through Ac-tiveSync. This could be achieved through the use of a “dedicated dll loaded into thesystem under investigation, thus overwriting RAM and possibly flash memory” [24]. Ifthis had been a physical acquisition procedure, the outcome would be at flash hardwarelevel. Since this technique has been followed, the produced outcome would belong to thelevel of the file system. This attribute prevented unallocated data from being retrievedand contributed to the hybrid nature of the method.

A presentation of the pseudo-physical acquisition method wouldn’t be complete with-out an evaluation of the tools designed for the specific purpose. Both of the tools utilizedinteracted with the target device in a way that data on it had not been affected. Thiscould be achieved either by remote handling or by the use of removable storage media.An interesting approach was provided when the author presented the file system recon-struction procedure based on memory pages in pseudocode mode. Pseudocode was alsofor describing acquisition procedures from files with high forensic importance, such ascemail.vol and pim.vol, with the use of proper libraries and dlls. Yet another uniquefeature offered in the context of this research, is the use of a Python script, namely ced-bexplorer.py, as a potential algorithm to retrieve standalone records within a database.Once a record was retrieved, it was decompressed; its MD5 hash was calculated and thencompared to the MD5 hash fingerprint deriving from xpdumpcedb.exe. Preliminary ef-forts were made by the author toward understanding the way a program is interactingwith the heap and leaving traces on it. Hence, Klaver implemented another Python script,heapdigger.py, which searched the heap marker in an image and decoded the heap headersand subsequent heap items. This research served as food for thought for many future onesand methods employed need to be updated accordingly to accomodate newer versions ofthe OS.

A more limited version of acquisition and data analysis based on Klaver’s work wasproposed by [5] and applied only to non-password protected devices. The authors adoptedthe same pseudo-physical acquisition technique as Klaver and made use of one of the toolshe proposed. Difficulties in retrieving deleted data were taken highly into consideration,without focusing on the acquisition methods related to each kind. Obstacles that mayarise are due to failures in reconstructing the file system, as well as the fact that a certainamount of devices carrying the Windows Mobile OS replace the content of deleted fileswith a sequence of 0xFF. Similarly to other researchers in the field, they concluded thatforensically valuable information can be retrieved from the cemail.vol and pim.vol files.By presenting a detailed structure of the cemail.vol file, they emphasize on the importance

22

of the data provided within it. They also promoted the use of a hex editor to retrievehidden deleted data.

Another place susceptible for containing important information is the system registry,since there could be found details of the configuration and use of a device [5]. Theresearchers mainly focus on the importance of acquired data during an investigation.An interesting aspect was presented in the end of the research, concerning the remoteexecution of a piece of code sending data to a third party entity, which observes theuser’s actions. Such a task may not be visible upon the task manager or perceived bythe average user, but it can still run on memory or be detectable by the RAPI toolscommands [24]. In this direction, [5] propose an implementation of discovering suchprocesses by a program entitled MobileSpy, which had been able to detect this kind ofchanges, but the documentation provided was not satisfying. [5]’s work completes theexperimental overview provided in Klaver’s and can be further used for a plethora ofexamples.

The work introduced by Rehault [37] was a case study of a pseudo-physical acquisitionmethod implemented strictly for the HTC TyTnll device running Windows Mobile ver.6.0. The author used a modified bootloader and acquired a bitwise copy of the flashmemory. As far as we are aware of, this is the only work providing an analytic overviewof the components and functionality of a bootloader. Afterwards, the author proceededwith the file system and registry reconstruction, while well known carving tools wereused to retrieve the contents of databases, such as cemail.vol and unallocated files. Theacquisition method proposed showed the major impediment of inflexibility, since deviceseven from the same vendor cannot be compatible with one unified bootloader type.

[12] studied data acquisition concerning the applicable forensic techniques on smart-phones running the Windows mobile OS. This work does not propose a new method, butmakes a comparison between the ones already developed. The lack of a standardizationstructure within forensic acquisition processes seemed to be the major challenge, sincethey had to create a hypothesis and adapt it to the tools they used from scratch. Thestudy began with a classification of acquisition methods to physical and logical and apresentation of the tools used during each one. The test smartphone was running the6.1 ver. and wasn’t supplied with an external storage card, since the authors claimedthat it was unnecessary, due to previous studies conducted on the subject. The devicesuccumbed to manual, physical and logical acquisition procedures. Before any kind of ac-quisition took place, ActiveSync was enabled. As far as it concerns physical acquisition,the researchers used a pseudo-physical technique, implemented by Cellebrite’s UniversalForensics Extraction Device Physical Pro edition, version 1.1.3.8 [12].

The same forensic suite was also used in order to complete the logical examination.Since data extracted from physical acquisition techniques were not in human readableformat, tools such as forensic toolkits and file carvers were used to interpret different kindsof files from the binary image. Apart from commercial file carvers, the [24] python script,cedbexplorer.py was used as a different approach to achieve data extraction from databasefiles, such as cemail.vol. Moreover, string extractors were used for extracting the contentof allocated files. On the other hand, logical and manual acquisition extractions neededno further editing. After completing every kind of acquisition, the authors implemented atechnique where retrieved data and artifacts were tested through MD-5 hash functions andcompared to the original ones. As a result, retrieved pieces of information were classifiedto four categories, three out of which concerned the relevance between the original and the

23

extracted ones. The last one was used if the artifacts were neither detected nor supported.Data that had not been fully detected were additionally tested by a fuzzy hash, in orderto measure its similarity to the original ones. As expected, results deriving from the twocategories of acquisition types were different at a major scale. Unallocated files were onlyretrieved through physical acquisition and the use of WinHex, while it was unable torecover any data relevant to appointments, contacts and call logs, most of which werestored in the embedded databases. Logical acquisition was capable of recovering thosedata types. Various differences were presented even between retrieved files of the samekind. The researchers concluded that, in order to acquire a fulfilling data set concerninga forensic investigation, a set of acquisition methods and tools should be applied. Also,extra attention has to be paid on the integrity and validity of the tools used.

[39] proposed an agent-based approach for forensic acquisition on Windows Mobiledevices. A unique feature of the specific research was that, apart from a technical frame-work introduction, the writers dedicated a section describing the most significant partsof a real-time investigation procedure divided into seven phases: Identification, Seizure,Acquisition, Authentication, Analysis, Presentation and Preservation. They claimed thatall phases are of equal importance to the investigation results, but two of them, acqui-sition and analysis, present major technical significance. The authors implemented thetool they proposed on these two aforementioned phases. Firstly, they made a small-scaleevaluation of acquisition methods and recommended physical as the high quality and ef-fective one. Due to limitations concerning the division of internal flash memory typesto RAM and ROM, they concluded that physical acquisition couldn’t be performed in asatisfying scale; logical acquisition on the other hand is the most frequent choice. Mean-while, they calculated the connectivity requirements needed for a proper setup, such asUSB/Bluetooth bridge from the mobile device to a computer and ActiveSync/WindowsMobile Device Center (WMDC) installation on the workstation. Then, they gathered theforensically important data sets, which resided in the file system, databases and registry.The software agent the researchers proposed was an all-in-one tool, combining logical ac-quisition attributes enabling it to interact with the most important databases (cemail.voland pim.vol) and pseudo-physical acquisition traits, such as RAPI tools [5, 24]. In theirresearch there were no innovative features, but a complete solution other than applyingmany different techniques at the same time. Finally, they presented the tool infrastruc-ture, acquisition results on a test device and compared it to other commercial forensictools. Such a comparison though couldn’t be considered accurate, since some tools didn’tprovide simultaneous physical and logical acquisition support.

A.3.8 Multiple OSs Forensic Studies

[47] seems to hold the credits for primary forensic research, while the field of SSDF wasn’tfully formed. His study consisted of the main characteristics of the most prevailing OS formobile devices and how they can be utilized in potential MF investigations. Later on, heexposed the unique features of mobile devices that make the forensics discipline referringto them more complicated than that of desktop computers. Moreover, he presented somecommonly used forensic suites and tools as a point of reference.

[32] focused on performing a forensic examination of mobile devices equipped withthe most popular OSs, Android (ver. 2.3.3), Blackberry (ver. 6.0) and iOS (ver. 4). Moreprecisely, Facebook, Twitter and MySpace mobile versions of applications were installed,and used in order to provide a satisfying amount of information to be retrieved. After

24

conducting a logical acquisition on the devices, they performed a manual analysis on eachof the logical images acquired. The extraction and analysis procedure was fully certified,since they consulted the guidelines provided by NIST [20]. They argued that the inves-tigation procedure would be more accurate if browser data were taken into considerationas well, since many users prefer logging in to social networks from a plain browser tabthan the application itself. Therefore, there was no data loss, because the investigationwas originally restricted to the use of applications only.

Blackberry Desktop Software (BDS) was utilized to perform logical acquisition in thetest-subject Blackberry phones, with the sync option disabled. Official backup softwareprevents from changes taking place to crucial elements of the logical image. Thus, thismethod is acceptable on court [1, 20]. A logical copy was acquired, but no traces of dataderiving from social networking applications were found. Since this operation failed, fur-ther research should be conducted on the subject. Although the authors claim Zdziarski’smethod [15, 49] to be superior and the most accurate iPhone forensics technique, theirinvestigation is limited to the use of iTunes backup utility, with the automatic sync fea-ture powered off. This decision poses the dilemma of: to jailbreak or not to jailbreak.Nevertheless, data acquisition was successful, since a great amount of social network-ing interaction data could be retrieved from all the applications tested. This kind ofinformation includes: Facebook user and friend data, friends with active chat sessions,timestamps, comments posted, all previously logged-in users; Twitter usernames, profilepictures and tweets; Myspace credentials, posts and timestamps. Android examinationseems to be the most disputable category, since acquiring data from a non-rooted deviceeliminates the quantity and quality of useful information to be gathered. On the otherhand, rooting a device makes significant changes to the potential admissible evidenceupon court. The option of rooting has been chosen, aiming to effectiveness. A standaloneapplication, namely MyBackup was used to extract the logical backup to an external SDcard. Analysis of the logical image returned usernames, pictures uploaded and viewed,chat messages and created albums from Facebook; usernames, tweets and device info forTwitter and usernames, passwords, cached files and cookies for MySpace. Although theresults from the examination procedure were satisfying enough for two out of the threeOS platforms tested, it is hard to reach certain conclusions. There is a need for use ofdifferent techniques and approaches, enhanced by the use of different forensics tools, sincethey all have altering specifications in various data types. Further research should beconducted in order to produce statistics that will lead to strengthening any weak pointsshowing up.

Even minor research methods can contribute some interesting info to the field, al-though they don’t propose something innovative or different than the existing ones. Re-search and experiments conducted by [7] belong to that specific category. They studiedlogical acquisition techniques from two target devices, running the Android OS ver. 2.1and the Windows Mobile ver. 6.1. Research was strictly limited to certain types of ac-quisition and data types. The authors proceeded to logical acquisition with the use ofofficial backup and sync suites for each devicee. ActiveSync was used for the WindowsMobile one, while Kies for Android. ActiveSync is considered a global backing up suite forWindows Mobile handsets; Android devices on the other hand, apart from few exceptionssuch as the Samsung mobile phones don’t have a specific backing up suite baseline. Thislast fact imposes many questions concerning the different interaction of Android devicesto that type of data extraction and creates more experimental needs. Since the retrieval

25

procedure only consisted of interaction with official product software, there was no needfor interfering with security locks or other trespassing methods, such as rooting. Thisapproach though is not applicable to a real scenario, since the amount of data to be ac-quired will be relatively smaller compared to the one demanded for fulfilling the needs ofa typical investigation.

The data types the authors aspired to extract were also limited to user-edited ones,such as images, SMS and contacts. One severe factor that was not taken into considerationor left intentionally undocumented was the isolation of the devices from any kind ofnetworking source. The only potential precaution for both devices was that they had tobe switched on during the acquisition procedure. Official backup suites had the abilityto restore deleted files, but there was no further information provided about the quantityor quality of them. Lack of metrics concerning data integrity and availability was alsospotted in the results concerning the allocated data acquisition, since the authors had justclaimed that some files were impossible to be read. A limited scale research can provideuseful information. However, since the research field is small, such kind of studies haveto be supported by a critical mass of experimental data for creating detailed metrics andstatistics.

The great majority of field studies step on existing methods in order to evolve or evendisapprove them. Fewer, on the other hand, develop innovative research elements of mobiledevices and how they can become useful to development of new theories. [33] discussed amethod of forensic analysis from fragmented memory pages, when the reconstruction ofthe file system is impossible. Their first goal was to explain the basic characteristics ofmemory types of smartphones and the mechanisms they use for balancing deletion actionsalongside the memory in order to augment the estimated life span of the device. Next, theyclarified that data acquisition can be partially easy, since they are only deleted on blocklevel. They then proposed a process model concerning forensic analysis, in which theyintroduced the flash memory page analysis that can occur whenever the reconstruction ofthe file system is impossible or for not allocated areas in the file system.

The flowchart proposed in this work can be considered an extended version of theone demonstrated by [40]. By the time the research was undertaken, the process modelwas applicable only to Android and iOS devices. One of the most interesting features ofthe process model they proposed was that it concerned a real-time investigation scenarioand not separate acquisition techniques. The memory analysis method consisted of fourscalable steps, which serve in reducing the estimated size of the memory to be examined.Duplicate entries, metadata and forms of certain data outlined by their size were excludedfrom the examination. The last step concerns the remaining data classification, accordingto their format. Data that have been through compression, such as audio, video anddocuments were named after random and their acquisition is considered a difficult task,due to their size and consequently their fragmentation level. This can be easily explained,since the bigger a file is, the more scattered it can be through memory blocks. On theother hand, non-random data are smaller in size, such as Web pages, SQLite databases andtext data. Both categories need specialized tools in order to be retrieved and completelyrestored. For proper documentation, the authors also conducted two case studies in twomobile devices, supporting the YAFFS and the EXT4 file system. The method proposed isstill in a primitive phase of development and many features need to be added for providingfull functionality, such as simultaneous support of two file types on one memory page.

26

A.4 DiscussionAs already mentioned, MF is a relatively new discipline. The first guidelines and studies -published around 2007 - were major contributions to the field, since many future researcheswere influenced by them. An excessive growth in the number of publications was noticedin 2011 and 2012, when smartphones had become increasingly widespread and the samehad occurred to their involvement into crimes.

A.4.1 Representation of the major contributions in chronologi-cal order

Figure A.1 represents a timeline of literature concerning the field of MF. As already men-tioned, works prior to 2006 are not included, since technology is considered outdated andthus beyond the scope of this survey. The horizontal axis in the bottom of the figure repre-sents the presence, absence or coexistence of low-level modification mechanisms. Studiesmay concern modified devices, non-modified ones, while in some others, both types cancoexist. Different kinds of geometrical shapes refer to OS types (e.g., Circle to Android,diamond to Blackberry, rounded rectangle to theoretical background and standardizationand so forth). Shapes are placed within the diagram according to their chronologicalorder. Numbers inside them correspond to the entry number in the References, whileletters to the acquisition type presented. Choice of letters is as close to the first letterof each acquisition type as possible. P stands for Physical Acquisition, L for Logical Ac-quisition, A for all acquisition types, while N shows that no techniques were mentionedin the context of the corresponding work. Texture fill is related to the data types eachresearch work examined. Large grid implies all data types, dark vertical (vertical lines)refer to the user data category, dark horizontal (horizontal lines) to user and applicationdata, dark downward diagonal to OS and application data, and a lack of texture indicatesabsence of data types. Solid lines between two shapes imply influence, while dashed onesimply compliance or reference to theory and regulations. On the other hand, dash dotdot texture represents an implicit reference, i.e. similar points of view that don’t referdirectly to each other.

From a quantitative point of view, almost half of the research works examined (18 outof 36) concerned devices without any low-level modification (root, jailbreak or capabilityhack). This occurred due to the implicit need for the provision of an original image of thestate of the device according to the proposed guidelines [1,20]. The majority of researchesshown in Figure A.1 that belong to the non-modified category have been influenced bythe guidelines. Notably, the appearance frequency of studies concerning low-level modi-fied devices is augmenting during the last two years. This fact implies the necessity forre-examination of the theoretical background concerning the austerity of admissibilitymethods, since investigations upon non-modified devices is resulting to a smaller quantityof acquired evidence. Claims mentioned above can also be verified from the fact thatrecent studies are concerned but not restricted to existing guidelines/specifications. Thisincident shows an escape tendency. Apart from the theoretical background, assumptionsextracted may trigger new research interests towards design and implementation of differ-ent hardware architecture for mobile devices, so they can become more forensic-tolerant.

Bear in mind that the more a mobile OS gets popular, the bigger the amount of re-searches referring to it becomes. For instance, from 2009 to 2011, the number of worksconcerning Android forensics was multiplied by three. Nevertheless, research should not

27

Figure A.1: Major smartphone forensics approaches in chronological order. The arrowsindicate interrelation between proposals ((i.e., [b] has been influenced by[a])

halt for OS types that have been outdated, since they can still contribute a lot to in-vestigations and newer techniques can be effective on older devices and file systems aswell.

Twenty six (26) out of thirty six (36) works included research for all the data typesmentioned in Section A.2.3. This result signifies that everything is relatively important inan investigation and can serve as possible evidence. There is no disregard to any data type.Therefore, user data are the most highly appreciated, since they are the most importantpiece of evidence. As a result, almost every research is taking them into consideration.Another data combination appearing frequently is user and application data. It mostlyspotted in studies concerning social networking or Instant Messaging (IM) applications,when a combination of both data types was inevitable.

A.4.2 Towards a common framework

Lack of standardization and frequent adaptation is a major issue in the field of MF [21,26].Rapid changes in technology, variations and gaps among different kinds of mobile devicesand OSs are making the procedure of creating a common framework or standardizationmodel a hard but challenging task for organizations and researchers. Nevertheless, a

28

great number of similar attributes are pointing to that direction. The argument canbe validated through the admission of the fact that there are many common patternsamong acquisition methods and tools designed for each case. Client/server based modelsin forensic tools implementation is one of the attributes, both present in Blackberry andWindows Mobile devices [38]. Similar adaptation schemes are present on completelydifferent researches. One of the most vivid examples was the use of approximately thesame flowchart concerning acquisition techniques on Android and iOS devices, while therewas no direct influence between the two works [33,40]. Such contributions can set the baseof a generally acceptable model. Moreover, many logical acquisition-oriented researchesuse backup and synchronization suites. Information Systems Analysis Methodology canbe applied so as scientists to be able to develop a multi-leveled MF Framework, where thelower (zero) level would consist of common, general conceptions, and the higher level oneswould concern the different attributes and actions performed. The Forensic Spiral [21] wasan early official attempt for general standardization, concerning forensic tools deploymentin the mobile computing ecosystem. The backbone of the model was based on the factthat technology is shape-shifting quickly; so a potential forensic tool should be able tocomply with changes, but not be distributed until being officially validated. Modificationof the device state at the moment of seizing is another issue to be resolved and has acommon extent to every kind of device.

A.4.3 Future Challenges

Almost every research considered in the context of this work concludes or implies thata forensic investigation is complete when every possible acquisition method is applied.Even though at least three different physical acquisition methods have been spotted, themost widespread is the use of (adapted) bootloaders, no matter the OS of the targetdevice. This happens not only because it is considerably the safest method amongst allbut because it is simultaneously cost-effective and providing satisfying results. Althoughresearchers found a less painful way of completing physical acquisition procedures, diffuseof data and documentation is still poor concerning the other kinds. When a real-timeincident takes place, forensic analysts will be unable to have the amount of informationneeded in order to perform the other tasks of physical acquisition. Even if experimentsin a big scale concerning JTAG and chip-off techniques may be less affordable, they stillhave to be conducted.

The great majority of experiments takes place on specific brands of mobile devices.It is generally accepted though, that even devices that run the same OS present differentbehavior. As a result, brand and model diversity is another factor that needs to be takeninto serious consideration. Many researches rely solely on commercial forensic tools, takingadvantage of their ease-of-used compared to raw acquisition tecniques. Even though thisapproach can be less time-consuming, results may present a significant loss of evidence.

Newer versions of mobile OSs are equipped either with security mechanisms that arehard to bypass, such as Symbian versions after 9.0, or preserve data integrity with en-cryption methods to avoid possible compromising situations, such as iOS 4.x. These factsimpose the challenge of adapting the existing methods to the new standards. Addition-ally, effective acquisition methods applied in the past have to be revised, evaluated fromthe onset and modified (if possible), so as to comply with the new technology attributes.Hash functions are used in order to preserve the integrity of the acquired data sets. Ifthe fingerprint of the retrieved file or instance is the same as the original, then acquisi-

29

tion procedure has been completed successfully. On the other hand, hash functions mayallow collisions, which can be used as exploits. An intentionally modified acquired fileor instance can bypass hashing control and then be able to obfuscate an investigationprocedure, by altering, deleting or modifying existing data on the device.

Since newer researches show escape tendencies from the theoretical background (thatis demanding a total absence of altering the devices state after seizure), it is debatablewhether and to which degree OS architecture or low-level modification culture should berevisited. A total recall concerning hardware is a difficult and high-cost procedure; it alsowill not provide any kind of solution for older devices. On the contrary, enabling rootingprivileges ever since a device is released and implementing a software-based solution inorder to preserve security and prevent from misuse is probably a more decent solution,which can also be applied to older devices by, say, a firmware upgrade.

Last but not least, a research timeline has to be updated over the years, in order topreserve the ability of observing the trends within the field. This will provide researcherswith quicker and more effective decision making processes.

A.5 ConclusionsMF is a discipline which presents a steady growth. The research conducted and undergoingstandardization attempts indicate that the area is under continuous development. Afteridentifying the challenges, this work provides a comprehensive review and classificationof the state-of-the-art research in the field of MF. It therefore contributes in presentinga holistic approach of how MF evolved along the years. Many OSs, acquisition and datatypes cases were examined and trends deriving from them were observed. As far as we areaware of, this is the first time an exhaustive and detailed survey of this kind is attempted.The current work can be used as a reference to anyone interested in better understandingthe facets of this fast evolving area. It is also expected to foster research efforts to thedevelopment of fully-fledged solutions that put emphasis mostly to the technological, butalso to the standardization aspect.

30